I disagree, your description only takes into account internal or organizational
email. This will not work for external organizations with whom you wish
communicate with, you may want to try this out Adrian. Try sending a digitally
signed and encrypted email to a person you have never had a communication with,
Outlook will let you sign it, but it will not let you encrypt it. Why because
Outlook recognizes that the intended recipient does not have your public key.
For that matter try sending an encrypted email to me. One of two things will
happen, either Outlook will not let you send the email encrypted or you can
send the file, but I will not be able to open it because I don't have your
public key.
-----Original Message-----
From: Adrian Floarea [mailto:adrian.floarea@uti.ro]
Sent: Friday, April 15, 2005 2:13 AM
To: 'Stegman, William'; focus-ms@securityfocus.com
Subject: RE: using certificates in Outlook for encryption
If you use an AD with PKI schema is not necessary to send an email with
public key, if you have all the certificates in AD. Outlook knows to work
with certificates from AD using GAL. Anyway, if a user receipt an encrypted
email, he must also have certificate for encrypt email installed in his
system and Outlook and the private key associated with this. A very
important aspect is that the encryption certificate must installed
correctly, in order to permit Outlook have a reference to private key.
If you have the certificate in PKCS#12 file, it must be installed in
Certificates/Current User/Personal. Also if the user has this certificate on
a smart card, it must use one of tools for this card to install certificates
in system in the same store. Generally, this work is done automatically by
the soft of the smart card.
And another important issue is that the certificate must have all the path
(certificate of issuer, of root etc) valid installed in AD schema or on
locall computer. Outlook generally don't use certificates which can't
validate them.
And finally is not necessary to send your public key to intended recipient.
It is necessary only in the case if you want that recipient sometime want to
send you an encrypted email.
Regards,
Adrian Floarea
Information Security Department
IT&C Division, UTI Systems SA
Bucharest, Romania
Email: adrian.floarea@uti.ro
-----Original Message-----
From: Stegman, William [mailto:Bill.Stegman@transcore.com]
Sent: Thursday, April 14, 2005 5:53 PM
To: focus-ms@securityfocus.com
Subject: using certificates in Outlook for encryption
I have an enterprise PKI setup in our win2k active dir domain, and have been
issuing user certificates for authentication, efs, and email encryption.
I've got wireless working fine with the certs, and signing messages from
outlook works ok too, but when trying to encrypt the messages for others to
view, I'm missing something. Everything I keep reading only brushes over
the fact that you can send your public key in an email message to your
intended recipient so he/she can later read your encrypted messages, but
once I receive that public key through a singed email, there's nothing I can
really do with it as far as I can tell. The messages are being sent to
users who have obtained private keys from the same source, the AD enterprise
CA. I've posted some notes on MS's community newsgroups, but no bites. The
outlook clients range from 2000 to 2003, I've got the certificates
configured in outlook's security tab, I think I'm just missing the public
key part......
Thank you,
William Stegman - Network Administrator
TransCore - Hummelstown
Phone: 717-561-5931
Fax: 717-564-8439
william.stegman@transcore.com
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
