Ok. I think is a misunderstanding.
I understand that is the case in discussion (organizational email).
But very important thing: when I encrypt an email for you, Outlook use your
public key from your certificate. So, I must have only your valid encryption
email certificate. In AD schema Outlook knows to take this from there.
But what you say is true generally speaking. For sending you an encrypted
email I must have your certificate. But how can I take it I think is another
discussion (or signed email, or a trusted LDAP of the CA which sign your
certificate and I have his address e.g.).
Regards,
Adi
-----Original Message-----
From: Ted LeSueur [mailto:Ted@envoydata.com]
Sent: Friday, April 15, 2005 6:45 PM
To: adrian.floarea@uti.ro; Stegman, William; focus-ms@securityfocus.com
Subject: RE: using certificates in Outlook for encryption
I disagree, your description only takes into account internal or
organizational email. This will not work for external organizations with
whom you wish communicate with, you may want to try this out Adrian. Try
sending a digitally signed and encrypted email to a person you have never
had a communication with, Outlook will let you sign it, but it will not let
you encrypt it. Why because Outlook recognizes that the intended recipient
does not have your public key. For that matter try sending an encrypted
email to me. One of two things will happen, either Outlook will not let you
send the email encrypted or you can send the file, but I will not be able to
open it because I don't have your public key.
-----Original Message-----
From: Adrian Floarea [mailto:adrian.floarea@uti.ro]
Sent: Friday, April 15, 2005 2:13 AM
To: 'Stegman, William'; focus-ms@securityfocus.com
Subject: RE: using certificates in Outlook for encryption
If you use an AD with PKI schema is not necessary to send an email with
public key, if you have all the certificates in AD. Outlook knows to work
with certificates from AD using GAL. Anyway, if a user receipt an encrypted
email, he must also have certificate for encrypt email installed in his
system and Outlook and the private key associated with this. A very
important aspect is that the encryption certificate must installed
correctly, in order to permit Outlook have a reference to private key.
If you have the certificate in PKCS#12 file, it must be installed in
Certificates/Current User/Personal. Also if the user has this certificate on
a smart card, it must use one of tools for this card to install certificates
in system in the same store. Generally, this work is done automatically by
the soft of the smart card.
And another important issue is that the certificate must have all the path
(certificate of issuer, of root etc) valid installed in AD schema or on
locall computer. Outlook generally don't use certificates which can't
validate them.
And finally is not necessary to send your public key to intended recipient.
It is necessary only in the case if you want that recipient sometime want to
send you an encrypted email.
Regards,
Adrian Floarea
Information Security Department
IT&C Division, UTI Systems SA
Bucharest, Romania
Email: adrian.floarea@uti.ro
-----Original Message-----
From: Stegman, William [mailto:Bill.Stegman@transcore.com]
Sent: Thursday, April 14, 2005 5:53 PM
To: focus-ms@securityfocus.com
Subject: using certificates in Outlook for encryption
I have an enterprise PKI setup in our win2k active dir domain, and have been
issuing user certificates for authentication, efs, and email encryption.
I've got wireless working fine with the certs, and signing messages from
outlook works ok too, but when trying to encrypt the messages for others to
view, I'm missing something. Everything I keep reading only brushes over
the fact that you can send your public key in an email message to your
intended recipient so he/she can later read your encrypted messages, but
once I receive that public key through a singed email, there's nothing I can
really do with it as far as I can tell. The messages are being sent to
users who have obtained private keys from the same source, the AD enterprise
CA. I've posted some notes on MS's community newsgroups, but no bites. The
outlook clients range from 2000 to 2003, I've got the certificates
configured in outlook's security tab, I think I'm just missing the public
key part......
Thank you,
William Stegman - Network Administrator
TransCore - Hummelstown
Phone: 717-561-5931
Fax: 717-564-8439
william.stegman@transcore.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
