Re: Signed Email w/Exchange 2003, Windows 2003 PKI

zmutrux_at_compumentor.org
Date: 08/25/04

  • Next message: Paul Aviles: "ADSI question" 
    Date: Wed, 25 Aug 2004 11:07:24 -0700
To: Focus-MS <focus-ms@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Mark Medici wrote:

    | Has anyone on this list implemented digital signatures that validate
    | back to a commercial CA (i.e., Verisign) in an Windows 2003/Exchange
    | 2003 environment?

    Hi Mark,

    For an organization of ten, you might do well to use email certificates
    issued directly by a CA. I have used the free personal email
    certificates from Thawte.
    http://www.thawte.com/email/

    On the plus side:

    - - The certificates are free and easy to install.

    - - Recipients using Outlook are frequently impressed by the nifty little
    red badge that appears next to digitally signed messages in the message
    list.

    - - Many recipients do not require special software in order to interpret
    the signatures. Outlook, Netscape & Mozilla, Mail.app and others have
    that capability built in.

    - - If the organization applies for and issues the certificates, it
    retains the ability to revoke them.

    - - The certs are signed by a Global CA, which verifies the email address
    of the person using the cert.

    - - S/MIME encrypts attachments as well as the body of the message (PGP
    couldn't do this for a long while).

    The problems I have run into with x.509 certs:

    - - Outlook 2002 would sometimes (always?) display the broken signature
    icon on a message signed with a Thawte cert because it could not
    retrieve the certificate revokation list (CRL) for the CA. Verifying
    the message would reveal that the signature was valid, but the validity
    of the cert could not be determined. This problem did not appear in
    other versions of Outlook, AFAIK.

    - - Some virus filters interpret the attached certificate as a suspicious
    binary. That's pretty rare but I did run into it from time to time.

    - - I subscribe to one listserv that would make my messages unreadable to
    users of Outlook if I digitally signed them. That was weird.

    - - Recipients of digitally signed messages who use a mail client that is
    not capable of interpreting the signature are confused by the attachment
    when they cannot open it.

    - - In order to get your name in the certificate, you must go through a
    multi-party certification process (the Web of Trust) or file a form
    notarized by a trusted professional. Kind of neat but a little unwieldy.

    HTH

    Zac Mutrux

    - --
    Zachary Mutrux
    Technology Consultant
    CompuMentor

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFBLNVZMRwf4YKPPgwRAprmAKCwu2uTWtz3MVMylxfLOkx2BXWkLwCfUUQ2
    qzmrN0LyVaHlYofmEqARZPs=
    =CKI2
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Paul Aviles: "ADSI question"
    • Quantcast