Re: OT: Mystery partially solved (was Microsoft does it again?!)

John E. Hadstate wrote:

When you send someone a signed message using Outlook or
Outlook Express, you also send some information that
specifies what encryption algorithm they should use to
encrypt a reply to you using your cert.

That information is known as "SMIME capabilities", and is defined
in RFC 2311 (written in 1998, while all the old crypto export control
limitations were in effect, limiting exportable apps to 40 bit symmetric
ciphers).

In Outlook Express, this is done on the
Tools...Accounts...Mail...<account>...Security dialog.

Is it necessary to use this dialog for Outlook Express to send
SMIME capabilities that incude 3DES?

When the recipient opens the signed message with Outlook
Express, there is a "Signed" icon in the upper right hand
corner of the dialog. Clicking on this icon leads to a
dialog with a "View Certificates" button. Clicking on this
button leads to a dialog with a section called "Sender's
Preferences" that shows, among other things, the preferred
cipher algorithm specified by the sender as described above.
There is also an "Add to Address Book" button that you
*must* click (even if the sender is already in your address
book) to get the sender's cert and cipher preference stored
in your address book. Thereafter, when you send an
encrypted message to the sender, Outlook Express will
attempt to use the encryption preference stored in the
address book. (If the sender requested 3DES, 3DES will be
used.)

Where I screwed-up was that instead of sending myself emails
from each of my accounts using each of my certs and saving
the certs from the received messages, I exported all my
certs to files, and then imported my certs into my address
book. This apparently created NULL entries for my preferred
ciphers, so Outlook Express chose 40-bit RC2 (but did warn
me).

This behavior, using RC2/40 in the absence of stored SMIME capabilities
for your correspondent, is exactly the behavior defined in RFC 2311
(section 2.6.x) and implemented in most, if not all, SMIME apps.
Mozilla family mail clients (e.g. Thunderbird) work the same way.

The one aspect of your description above that seems like erroneous
behavior is the need to manually intervene to cause the SMIME
capabilities to be stored/updated upon receipt of a signed message.
RFC 2311 section 2.6.1 spells out the expected behavior. It's
automatic in mozilla family email clients, but according to your report
it's manual in Outlook. That's unfortunate.

--
Nelson B
.

Relevant Pages

  • OT: Mystery partially solved (was Microsoft does it again?!)
    ... address) using Outlook 2000 at work the other day. ... for encryption, even though everything indicates that 3DES ... from each of my accounts using each of my certs and saving ... the certs from the received messages, ...
    (sci.crypt)
  • RE: integrity and mail encryption
    ... PGP) or not free which offer a better security like Outlook. ... return mail with thier own private key and the sender's public key. ... private key encryption in timely manner. ...
    (Security-Basics)
  • RE: questions on setting up a mail server
    ... questions on setting up a mail server ... The first group does encryption of the password only. ... Sure it is simple - when ALL clients are running the same version ... of Windows, IE, and Outlook. ...
    (freebsd-questions)
  • Re: determine encryption?
    ... It is very small and is the only one: Remember Outlook 2002 VBA not Outlook Express.: ... Public Sub TestMail ... This email and Outlook 2002 VBA are not on good terms. ... If I don't this encryption breaks VBA and so my script rule. ...
    (microsoft.public.security)
  • Re: OT: Mystery partially solved (was Microsoft does it again?!)
    ... from each of my accounts using each of my certs and saving ... Very interesting and sort of a security failure of Outlook. ... and exporting are the same people). ... the intended recipient to determine whether the recipient can support ...
    (sci.crypt)