Well, since it appears this thread has taken a turn for the obscure, I will
respond to your original post.
I usually just listen to this list, but this is actually something of which
I have some level of knowledge. I won't discuss my affiliation with
VeriSign except to say that I do not work for them. It is my opinion that
VeriSign has the best solution for implementing a managed PKI solution for
Exchange. We can discuss that in subsequent emails since I am now getting
ahead of the encryption discussion.
Where any discussion of PKI starts is with clearly defined organizational
objectives. You simply do not want to try to deploy PKI as your solution.
That is not a clearly defined objective. You need to identify what it is
that you are interested in securing; you external communications with
partners, your internal communications between employees and HR, your
network communication, authentication, building access etc. Your
organization needs to have a security policy. This involves your entire
enterprise, not just your Exchange organization. It may sound like a rant,
but by implementing a method of encryption, you can potentially undermine
other objectives such as protecting your company from viruses.
For example, you may decide to implement a solution that gives every
employee a digital ID and ensures that it gets inserted into the Exchange
GAL or Active Directory. This enables any employee to simply sign and/or
encrypt email to others in the directory. You may also as part of your
security policy, require employees to sign all email messages by default.
Should that employee receive a virus in email, most likely the virus will
proliferate with signed messages. Other employees will undoubtedly produce
further infections. But wait, you have antivirus software correct? Your
antivirus software may be unable to effectively disinfect a signed message.
It will most definitely be unable to disinfect if this happens with an
encrypted message.
Not likely? I have seen it happen using Exchange and x.509 certificates and
Groupshield. This is a little secret that no one is talking about right
now. Sooner or later someone is going to write a virus that takes advantage
of this type of configuration. Right now I wouldn't expect it, but as more
people deploy this kind of solution, I would expect a virus writer to alter
their code.
Understanding the implications of encryption and having clearly defined
objectives will save your backside when the fecal mass hits that thing that
thing you just turned on in your office to cool you off because you're
sweating while you rush to manually clean out signed lovebugs from your
information store and hope none of your users open and execute the
attachment on an email message that just came from a fellow employee, signed
with a digital ID.
End of rant....
Some technical information...
You can obtain a digital ID from VeriSign, or one of the other CAs, for
signing email. Make sure your IMC is configured with the option "Clients
support S/MIME" enabled. This is not enabled by default.
Your turn.
-Jon
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Peoples
Sent: Tuesday, September 11, 2001 4:21 PM
To: Exchange Discussions
Subject: Encryption
Hi,
I have checked the FAQ and have not found any suggestions... so I will put
it to the experts.
Does anyone have a preferred product or solution for e-mail encryption?
Management here are looking at installing PGP and are also looking at a
Verisign product. Does anyone have any good / bad experience with either of
these products or any others?
Previously I have had a few bad experiences with PGP software so I may be a
bitbiased against it - hence I am looking to see what the general consensus
is...
Thanks in advance,
MP
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
