At Sunday, July 30, 2006 10:27 AM, Thor (Hammer of God) wrote:
When I said "RMS-enabled applications," I was talking about actually
enabling the applications to use RMS functions by joining the
machines to an RMS infrastructure. Just because I have Outlook
doesn't mean that you can send me an SMTP email and set some
arbitrary permissions on it that prevent me from forwarding it. Now,
if you really want to, you can have a non-RMS, untrusted recipient
receive the message via MSIRMS, but then they have to have a passport
account that you already have explicit knowledge about and they have
to have specific RMS voodoo dolls installed.
Yes, but if you aren't part of the of the RMS infrastructure (whichever
one it might be), you can't access the content in the message -- you
can't even decrypt it to begin with, because you don't have the
necessary certs and policies. So even if you do get a copy of protected
content, it doesn't do you any good -- you can't open it up in a
non-RMS-aware app and circumvent the protection. (If you could, it would
be a useless technology, both from a technical and a legal standpoint).
From that standpoint, an RMS solution *does* have value in protecting
content once it leaves the organization. Ideally, however, the RMS
solution itself will prevent the content from being sent to
non-authorized external users -- but if it doesn't, they're not going to
be able to do much with it unless they work for the NSA. I've got a
couple of RMS-protected documents sitting on my hard drive that I'm
precisely in this situation with, because my RMS extensions aren't
configured properly and I can't get the certs I need to open the
content!
--
Devin L. Ganger Email: deving@3sharp.com
3Sharp LLC Phone: 425.882.1032
15311 NE 90th Street Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.702.8455
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/
---------------------------------------------------------------------------
---------------------------------------------------------------------------
