It seems there are a few things being misunderstood in this thread. Of
course, I may be one of those misunderstanding, so let me try to
clarify. You have 2 ways to use certificates with email, including
Outlook. One is to encrypt, the other is to sign. You (and for
encryption, the recipient) must have a certificate which includes a
private and a public key. To encrypt mail to someone else, you must
have their public key. The message can only be decrypted by using the
recipient's private key. While this does provide privacy (encryption),
it does not provide non-repudiation. To achieve non-repudiation, you
would then digitally sign the encrypted message with your private key.
The digital signature is a hash (md5, sha1, etc) of the message, and
the hash is then encrypted using your private key. The message will
also contain your public key, which can be used to decrypt the hash
once it is received. The recipient software will then hash the message
and compare the 2 hashes. If they match, the message has not changed
and it had to come from you (provided you protect your private key).
So, to get someone your public key you can send them a signed message.
Then they can save your public key in their outlook contact list and in
turn send you an encrypted message. I have found that Outlook doesn't
always lookup the recipient's public key, but having it in the contact
list always works. This may be a specific issue with my site, others
may have had better luck. The is an option is Outlook to publish your
public key to the GAL, but again I have not had predictable results.
This is the correct way to do it, so like I said there may be problems
with my config. Anyway, this is how PKI mail encryption and signatures
work, if you were interested. Hope this helps. --Rod
---------------------------------------------------------------------------
---------------------------------------------------------------------------
