Internal and external. From what I remember from previous messages, you
have Outlook 2K so this should be a snap. Note that encryption is a process
that requires both parties to have a public and private key. When sending
mail to people who do not have a digital ID, the best you can do is to sign
the message. Signing the message does not ensure the contents cannot be
read in transit but it does ensure to the person who receives it that it has
not been altered.
Your execs should be able to send encrypted messages to each other and
prevent you, the admin, from viewing them from your perch at the top of the
Exchange organization.
Also worth noting, the $15 certs do not ensure any identity. They only
ensure that the email address in the From field is the address used when the
message was signed. If you look at a certificate from VeriSign, it will say
"Subscriber-Persona not validated". VeriSign doesn't prove that you are
you. They just make sure that the email address that applied for the cert
is the email address that got it.
If you want more validity, you have to pay more and go with an enterprise
product.
Make sure that your execs pay close attention to the challenge prase and to
the passwords used to protect their certificates when exported or backed up.
Did I mention you need to backup the certs. This is VERY IMPORTANT. If
something should happen to their PC resulting in loss of the registry, they
will be up s--- creek without their ID. Make sure to bring the point home
to them that they will need their ID to read any mail that was encrypted
using it. We all know how execs like to keep old email. They need to make
sure to keep a backup of the id and use something they will not forget for
the challenge phrase and passwords on the exported file. When you export
the ID to a file, a password is required to protect it in it's exported
form, a file with .pfx extention. You don't want someone taking your
exported ID from the network share and importing it themselves. Also, a
challenge phrase is required when obtaining the cert from VeriSign. This is
used to do things like revoke or obtain a new cert if you lost the old one.
Note that if you download the cert later, replace it, it will be a new cert
and you will not be able to read mail encrypted using the lost one. As the
years go by and you renew your certs, your certificate store will grow
because you have to keep them each year in order to be able to read all that
old mail.
You and some other IS person, should obtain certs yourselves and go through
the process of backing them up and restoreing them. You don't want to be at
an execs desk, talking the exec through the process if you have not done it
yourself. Don't leave it up to them. Make sure to go through the process
with them. There is too much chance for them to screw it up and then you
are on the hook for the screw up.
Throughly understand it yourself and then make them throughly understand it.
By the way, RSA has a good book on cryptography
http://www.amazon.com/exec/obidos/ASIN/007213139X/qid=1000741590/sr=2-1/104-
2796244-0325521
-Jon
"that we here highly resolve that these dead shall not have died in vain. .
. that this nation, under God, shall have a new birth of freedom. . . and
that government of the people. . .by the people. . .for the people. . .
shall not perish from the earth."
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Peoples
Sent: Sunday, September 16, 2001 8:13 PM
To: Exchange Discussions
Subject: RE: Encryption
Hi all,
This may be a dumb question, so I apologise in advance...
If we get each executive a Verisign $15 digital ID... does it apply to
internal mail as well as external mail? Without time and resources to test
all of this I can only presume that internal mail would be treated (signed
and encrypted) in the same fashion as external mail...
Also, Can anyone confirm that
The recipient will still need to go to the Verisign website and download the
public key or have the sender forward the public key... for encrypted
messages. For digitally signed messages that are not encrypted... then this
does not apply and the recipient can simply read the message and feel all
warm and fuzzy inside knowing that the contents are 100% legit.
Thanks.
MP
> -----Original Message-----
> From: Jon Lucas [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 13 September 2001 1:47 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Count me in. I can offer quite a bit of insight into the
> VeriSign product
> and would love to participate. The time has come to bring
> some sense to
> this issue.
>
> Let's start the discussion off-line. Who wants to take the
> lead? Who will
> participate?
>
> Mark, one quick thought... If you want a quick way to get
> your execs to
> begin using digital IDs, since they are are probably not many
> in number, you
> can easily enroll for a individual IDs at
> http://www.verisign.com/products/class1/index.html for $14.95
> each. Once
> they have the certs, configure their Outlook clients to use
> the certs in
> Tools, Options, Security.
> Make sure to configure the IMC with the option "Clients
> support S/MIME"
> option or you will not be able to sign email.
>
> This way you can get them to try out the technology for
> relatiely little
> dollars. If their goal is to be able to encrypt mail between
> themselves,
> thus preventing you, and other admins etc. from reading it,
> this may be all
> you need to do.
>
> If you want, you can go one step further and use a utility
> certstuff.exe to
> upload the certificate to the GAL. This is not necessary but
> if you have a
> small group of people and they would rather use the GAL instead of
> individual contacts for each other, you can make it work with
> certstuff.exe.
> I'm still trying to figure out where to obtain certstuff.exe.
> It's been a
> while and I can't remember how MS released it.
> Anyway, by doing the above, you have basically done on a
> small scale, what
> GoSecure for Exchange will do in a large scale, with managed capacity.
> Why use a CA? Their certs chain up to a key that was already
> placed in your
> registry. In fact just about everyone in the world with very
> few exceptions
> will have this root. VeriSign as well as other CAs are in the MS Root
> Certificate program. This means that when you sign a message
> with your
> digital ID, and send it to someone, the certificate will be presented
> without prompting the person on the receiving end as to
> whether or not they
> wish to trust the certificate. It's an ease of use issue.
> Also, the same
> infrastructure that provides the s/mime certs can be part of
> an overall
> solution that provides certificates for ssl and ipsec for
> your websites and
> router/firewall/host encryption. Also, you can do all the
> issuance and
> management using the CAs infrastructure. You don't have to
> build anything.
>
> Signing the message not only provides a means to link it to a verified
> identity, it also adds a checksum to ensure that the contents were not
> altered. This capability works regardless of whether or not
> the person on
> the other end has an ID. Encryption will only work if the
> other party, like
> you, has a digital ID, or key, and you have exchange the
> public portion of
> the key.
>
> I can provide you some screen shots of what this looks like
> in Outlook if
> you wish.
>
> -Jon
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Steve Rollings
> Sent: Wednesday, September 12, 2001 5:35 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Mark,
> Jon raises the critical issues. It would be neat if we had a standard.
>
> Your CEO needs to be aware of these issues (not simply loss of data),
> prior to implementing any policy or software solution.
>
> Agreed, why don't we take this offline.
> Can we set up a small forum to discuss the various alternatives?
>
> Regards,
> Steve
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mark Peoples
> > Sent: Thursday, September 13, 2001 01:05
> > To: Exchange Discussions
> > Subject: RE: Encryption
> >
> >
> > I have raised the potential loss of data issue - For both
> > file and e-mail
> > encryption. This is one of our biggest concerns. By their
> > very nature...
> > Exec's seem to lose / misplace / delete information and get
> > themselves into
> > many, many interesting and mind boggling scenarios. Adding
> > another option
> > for them to cause problems makes me very uneasy and cautious indeed.
> >
> > The potential penetration of viruses issue is a good one...
> > that will be
> > raised at the next ooportunity I have to do so.
> >
> > Ed, I doubt the CEO is aware of the fact that he must
> > co-ordinate with his
> > recipients. This may be a turning point for the notion. Given
> > the company is
> > moving into a really busy period... having to co-ordinate
> > with recipients
> > increases the size of the 'project' significantly.
> >
> > Thanks and Peace to all.
> > MP
> >
> >
> >
> > > -----Original Message-----
> > > From: Ed Crowley [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, 13 September 2001 9:36 AM
> > > To: Exchange Discussions
> > > Subject: RE: Encryption
> > >
> > >
> > > Is your CEO aware that the person with whom he is
> > > corresponding must also
> > > use the same encryption tool he uses? That is, that such a
> > > desire requires
> > > coordination with all of his correspondents?
> > >
> > > Ed Crowley MCSE+Internet MVP
> > > Tech Consultant
> > > Compaq Computer Corporation (soon to be HP)
> > > All your base are belong to us.
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mark Peoples
> > > Sent: Wednesday, September 12, 2001 4:24 PM
> > > To: Exchange Discussions
> > > Subject: RE: Encryption
> > >
> > >
> > > Many, many Good points. Allow me to elaborate...
> > >
> > > CEO of company has ants in the pants about encryption all of
> > > a sudden. He
> > > wants his mail and the mail of the top exec's to be
> > > encrypted for both
> > > internal and external mail. As most CEO's do, He wants it
> > > yesterday but the
> > > people that need to know find out today.
> > >
> > > He also wants the ability to encrypt files. I will treat this
> > > as a side
> > > issue and not in the scope of this discussion because
> this has wider
> > > implications that need to be discussed internally before a
> > > solution can be
> > > sought. In fact the whole damn topic needs to be discussed
> > > off line... but
> > > I'll take care of that. I wholly with you agree about the
> > > security policy -
> > > that should come first and set the stage for the implementation.
> > >
> > > I guess what I am asking is, for e-mail encryption (that is
> > my primary
> > > concern at this stage) is it better for client based
> > > encryption via PGP
> > > addin to Outlook (or digital ID), or server based encryption?
> > > I see Mail
> > > Essentials from www.GFI.com have a server based solution. If
> > > we can, we
> > > would like to avoid having a Key Mgmt server... but if we
> > > need to get one
> > > then I am happy to take that course of action too.
> > >
> > > Our desktop support group have managed to crash 2 of 3
> > machines while
> > > testing Outlook PGP plugin. we are not looking too
> > favourably on that
> > > solution at the moment. Verisign digital ID's for the exec's
> > > seems to be the
> > > way to go at the moment...
> > >
> > > If it helps, we are running Win2k and E2k server. Mail
> > > clients are running
> > > either Win2k Professional or NT4 and OL 2000.
> > >
> > > Thanks for your assistance so far... VERY VERY helpful and
> > > encouraging!
> > > MP
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jon Lucas [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, 13 September 2001 2:12 AM
> > > > To: Exchange Discussions
> > > > Subject: RE: Encryption
> > > >
> > > >
> > > > Well, since it appears this thread has taken a turn for the
> > > > obscure, I will
> > > > respond to your original post.
> > > >
> > > > I usually just listen to this list, but this is actually
> > > > something of which
> > > > I have some level of knowledge. I won't discuss my
> > affiliation with
> > > > VeriSign except to say that I do not work for them. It is my
> > > > opinion that
> > > > VeriSign has the best solution for implementing a managed PKI
> > > > solution for
> > > > Exchange. We can discuss that in subsequent emails since I
> > > > am now getting
> > > > ahead of the encryption discussion.
> > > >
> > > > Where any discussion of PKI starts is with clearly defined
> > > > organizational
> > > > objectives. You simply do not want to try to deploy PKI as
> > > > your solution.
> > > > That is not a clearly defined objective. You need to
> > > > identify what it is
> > > > that you are interested in securing; you external
> > > communications with
> > > > partners, your internal communications between employees
> > > and HR, your
> > > > network communication, authentication, building access
> etc. Your
> > > > organization needs to have a security policy. This involves
> > > > your entire
> > > > enterprise, not just your Exchange organization. It may
> > > > sound like a rant,
> > > > but by implementing a method of encryption, you can
> > > > potentially undermine
> > > > other objectives such as protecting your company from viruses.
> > > >
> > > > For example, you may decide to implement a solution that
> > gives every
> > > > employee a digital ID and ensures that it gets inserted into
> > > > the Exchange
> > > > GAL or Active Directory. This enables any employee to simply
> > > > sign and/or
> > > > encrypt email to others in the directory. You may also as
> > > > part of your
> > > > security policy, require employees to sign all email messages
> > > > by default.
> > > > Should that employee receive a virus in email, most likely
> > > > the virus will
> > > > proliferate with signed messages. Other employees will
> > > > undoubtedly produce
> > > > further infections. But wait, you have antivirus software
> > > > correct? Your
> > > > antivirus software may be unable to effectively disinfect a
> > > > signed message.
> > > > It will most definitely be unable to disinfect if this
> > > happens with an
> > > > encrypted message.
> > > >
> > > > Not likely? I have seen it happen using Exchange and x.509
> > > > certificates and
> > > > Groupshield. This is a little secret that no one is talking
> > > > about right
> > > > now. Sooner or later someone is going to write a virus that
> > > > takes advantage
> > > > of this type of configuration. Right now I wouldn't expect
> > > > it, but as more
> > > > people deploy this kind of solution, I would expect a virus
> > > > writer to alter
> > > > their code.
> > > >
> > > > Understanding the implications of encryption and having
> > > > clearly defined
> > > > objectives will save your backside when the fecal mass hits
> > > > that thing that
> > > > thing you just turned on in your office to cool you off
> > > because you're
> > > > sweating while you rush to manually clean out signed lovebugs
> > > > from your
> > > > information store and hope none of your users open and
> execute the
> > > > attachment on an email message that just came from a fellow
> > > > employee, signed
> > > > with a digital ID.
> > > >
> > > > End of rant....
> > > >
> > > > Some technical information...
> > > >
> > > > You can obtain a digital ID from VeriSign, or one of the
> > > > other CAs, for
> > > > signing email. Make sure your IMC is configured with the
> > > > option "Clients
> > > > support S/MIME" enabled. This is not enabled by default.
> > > >
> > > > Your turn.
> > > >
> > > > -Jon
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Mark Peoples
> > > > Sent: Tuesday, September 11, 2001 4:21 PM
> > > > To: Exchange Discussions
> > > > Subject: Encryption
> > > >
> > > >
> > > > Hi,
> > > > I have checked the FAQ and have not found any suggestions...
> > > > so I will put
> > > > it to the experts.
> > > >
> > > > Does anyone have a preferred product or solution for e-mail
> > > > encryption?
> > > > Management here are looking at installing PGP and are also
> > > > looking at a
> > > > Verisign product. Does anyone have any good / bad experience
> > > > with either of
> > > > these products or any others?
> > > >
> > > > Previously I have had a few bad experiences with PGP software
> > > > so I may be a
> > > > bitbiased against it - hence I am looking to see what the
> > > > general consensus
> > > > is...
> > > >
> > > > Thanks in advance,
> > > > MP
> > > >
> > > >
> _________________________________________________________________
> > > > List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> > >
> > > _________________________________________________________________
> > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
