-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Medici wrote:
| Has anyone on this list implemented digital signatures that validate
| back to a commercial CA (i.e., Verisign) in an Windows 2003/Exchange
| 2003 environment?
Hi Mark,
For an organization of ten, you might do well to use email certificates
issued directly by a CA. I have used the free personal email
certificates from Thawte.
http://www.thawte.com/email/
On the plus side:
- - The certificates are free and easy to install.
- - Recipients using Outlook are frequently impressed by the nifty little
red badge that appears next to digitally signed messages in the message
list.
- - Many recipients do not require special software in order to interpret
the signatures. Outlook, Netscape & Mozilla, Mail.app and others have
that capability built in.
- - If the organization applies for and issues the certificates, it
retains the ability to revoke them.
- - The certs are signed by a Global CA, which verifies the email address
of the person using the cert.
- - S/MIME encrypts attachments as well as the body of the message (PGP
couldn't do this for a long while).
The problems I have run into with x.509 certs:
- - Outlook 2002 would sometimes (always?) display the broken signature
icon on a message signed with a Thawte cert because it could not
retrieve the certificate revokation list (CRL) for the CA. Verifying
the message would reveal that the signature was valid, but the validity
of the cert could not be determined. This problem did not appear in
other versions of Outlook, AFAIK.
- - Some virus filters interpret the attached certificate as a suspicious
binary. That's pretty rare but I did run into it from time to time.
- - I subscribe to one listserv that would make my messages unreadable to
users of Outlook if I digitally signed them. That was weird.
- - Recipients of digitally signed messages who use a mail client that is
not capable of interpreting the signature are confused by the attachment
when they cannot open it.
- - In order to get your name in the certificate, you must go through a
multi-party certification process (the Web of Trust) or file a form
notarized by a trusted professional. Kind of neat but a little unwieldy.
HTH
Zac Mutrux
- --
Zachary Mutrux
Technology Consultant
CompuMentor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBLNVZMRwf4YKPPgwRAprmAKCwu2uTWtz3MVMylxfLOkx2BXWkLwCfUUQ2
qzmrN0LyVaHlYofmEqARZPs=
=CKI2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
---------------------------------------------------------------------------
