In-Reply-To: <41E81E5C.4090000@otc.edu>
Hi Nathaniel,
I can think of three acceptable ways to reach your goal, but I cannot say which
of them is feasible to you.
I. Make your organisation choose a non-profit CA.
As you probably know, unlimited trust in SSL certificates issued by commercial
CAs such as the ones you name has security implications by itself.
For further reading on this topic I propose you have a look at this article
whichI like a lot (but I am not affiliated with the author):
http://www.financialcryptography.com/mt/archives/000206.html
Or look at the website by Ian Grigg who also wrote the above article:
http://iang.org/ssl/
That said, you may want to introduce SSL certificates issued by a non-profit CA
within your organization. I propose you go with http://www.cacert.org for this
matter. They will, however, not provide sub-CA's (as they could not fully trust
them which would decrease the overall trust of their web of trust). I assume
that CACerts root certificates will be included in the next maor releases of
the major web browsers.
Alternatively, you can still setup your own CA, of course as proposed before in
this thread.
II. Make your short-time emloyees use SSL certificates used by CACert.
This will not only allow you to use email certificates but also certificates
for many other uses which will be availabe free of charge. The drawback about
this is that you will still need to make your whole organization install the
CACert root certificate. But this is a one-time job, as easy as clicking on a
URL. And an enterprise grade IT management will allow to pass root certificates
on within the IT hierarchy in a mostly automated way.
III. Make all of your organization or part of it use a GPG/PGP infrastructure
To use GPG with Outlook, while I do not recommend using Outlook in general (if
you are lucky enough to be able to choose), I recommend using GPGRelay:
http://sites.inka.de/tesla/gpgrelay.html
To gain a quick understanding of their implementation, have a look at:
http://sites.inka.de/tesla/data/gpgrelay_overview.png
For the additional software it needs, I propose you go with the Nullify builds
of GPG (achieves broader compatibility - when compared to original GPG - by
allowing the use of patent-encumbered algorythms) and GPGShell as a UI.
However, if you prefer to have a look at the source, go with WinPT instead of
GPGShell.
All of the above solutions are completely free in means of licensing. The
initial setup of these may take more time than you would expect when mostly
used to commercial software, though. Nevertheless, the money your organization
saves short or mid term, the experience and broader view one gets and the - in
my opinion - increased security - by more trustable certificate issuers make it
worth spending a couple of minutes or hours on it.
Hope this helps,
Moritz Naumann
Nathaniel Hall wrote:
I currently am using Thunderbird with Enigmail so
that I can digitally sign and encrypt e-mail. Since
there are only two of us that use Thunderbird in our
organization, I would like to find a way to use PGP
from within Outlook.
I am aware that Outlook supports digital IDs from
Geotrust and Verisign, but I would like to find
something that will let our students participate in
using the digital signatures without having to pay
for one and with the adjunct faculty we hire on a
per semester basis, the benefit of using digital
signatures would be overcome by the cost.
Does anybody know of a way to do this for free?
---------------------------------------------------------------------------
---------------------------------------------------------------------------
