RE: using certificates in Outlook for encryption

From: Ted LeSueur (Ted_at_envoydata.com)
Date: 04/15/05

  • Next message: Rod Dickerson: "Re: using certificates in Outlook for encryption"
    Date: Fri, 15 Apr 2005 08:44:58 -0700
    To: <adrian.floarea@uti.ro>, "Stegman, William" <Bill.Stegman@transcore.com>, <focus-ms@securityfocus.com>
    
    

    I disagree, your description only takes into account internal or organizational email. This will not work for external organizations with whom you wish communicate with, you may want to try this out Adrian. Try sending a digitally signed and encrypted email to a person you have never had a communication with, Outlook will let you sign it, but it will not let you encrypt it. Why because Outlook recognizes that the intended recipient does not have your public key. For that matter try sending an encrypted email to me. One of two things will happen, either Outlook will not let you send the email encrypted or you can send the file, but I will not be able to open it because I don't have your public key.

    -----Original Message-----
    From: Adrian Floarea [mailto:adrian.floarea@uti.ro]
    Sent: Friday, April 15, 2005 2:13 AM
    To: 'Stegman, William'; focus-ms@securityfocus.com
    Subject: RE: using certificates in Outlook for encryption

    If you use an AD with PKI schema is not necessary to send an email with
    public key, if you have all the certificates in AD. Outlook knows to work
    with certificates from AD using GAL. Anyway, if a user receipt an encrypted
    email, he must also have certificate for encrypt email installed in his
    system and Outlook and the private key associated with this. A very
    important aspect is that the encryption certificate must installed
    correctly, in order to permit Outlook have a reference to private key.

    If you have the certificate in PKCS#12 file, it must be installed in
    Certificates/Current User/Personal. Also if the user has this certificate on
    a smart card, it must use one of tools for this card to install certificates
    in system in the same store. Generally, this work is done automatically by
    the soft of the smart card.

    And another important issue is that the certificate must have all the path
    (certificate of issuer, of root etc) valid installed in AD schema or on
    locall computer. Outlook generally don't use certificates which can't
    validate them.

    And finally is not necessary to send your public key to intended recipient.
    It is necessary only in the case if you want that recipient sometime want to
    send you an encrypted email.

    Regards,

    Adrian Floarea
    Information Security Department
    IT&C Division, UTI Systems SA
    Bucharest, Romania
    Email: adrian.floarea@uti.ro

    -----Original Message-----
    From: Stegman, William [mailto:Bill.Stegman@transcore.com]
    Sent: Thursday, April 14, 2005 5:53 PM
    To: focus-ms@securityfocus.com
    Subject: using certificates in Outlook for encryption

    I have an enterprise PKI setup in our win2k active dir domain, and have been
    issuing user certificates for authentication, efs, and email encryption. 
    I've got wireless working fine with the certs, and signing messages from
    outlook works ok too, but when trying to encrypt the messages for others to
    view, I'm missing something.  Everything I keep reading only brushes over
    the fact that you can send your public key in an email message to your
    intended recipient so he/she can later read your encrypted messages, but
    once I receive that public key through a singed email, there's nothing I can
    really do with it as far as I can tell.  The messages are being sent to
    users who have obtained private keys from the same source, the AD enterprise
    CA.  I've posted some notes on MS's community newsgroups, but no bites.  The
    outlook clients range from 2000 to 2003, I've got the certificates
    configured in outlook's security tab, I think I'm just missing the public
    key part......
     
    Thank you,
     
    William Stegman - Network Administrator
    TransCore - Hummelstown
    Phone: 717-561-5931
    Fax: 717-564-8439
    william.stegman@transcore.com
     

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Rod Dickerson: "Re: using certificates in Outlook for encryption"

    Relevant Pages

    • RE: using certificates in Outlook for encryption
      ... Outlook XP. ... go the Certificates tab and click Import. ... both encrypt with their pub key and sign with your private. ... > over the fact that you can send your public key in an email message to ...
      (Focus-Microsoft)
    • Re: using certificates in Outlook for encryption
      ... using certificates in Outlook for encryption ... > they don't know what a public key is from a head gasket. ... >> from their certificate. ...
      (Focus-Microsoft)
    • Re: Active Directory Questions
      ... Regarding the encryption question, you will need certificates. ... The obvious choice is MS's own CA and deployment stuff which I know ... > Windows encryption stuff but does plug into Outlook. ...
      (microsoft.public.platformsdk.security)
    • RE: using certificates in Outlook for encryption
      ... public key from your certificate. ... In AD schema Outlook knows to take this from there. ... using certificates in Outlook for encryption ...
      (Focus-Microsoft)
    • Re: WSJ Online: Voltage Unveils Encryption Program
      ... > proposed what they called identity-based encryption. ... > person's e-mail address, for example, could act as a public key, avoiding ... Server A makes a private key for you. ... had used PGP instead and put that directly in Outlook [not as some ad ...
      (sci.crypt)