Looks like I don't need to capture those screen shots, you can get them at:
http://www.verisign.com/support/class1/installation/install.html#o2000
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Peoples
Sent: Wednesday, September 12, 2001 9:28 PM
To: Exchange Discussions
Subject: RE: Encryption
Yep - online discussion is better for me and I think it will go down well in
the arhcives for those that do bother to check them b4 posting their
questions. <sarcasm>Forgive me if one friday if I decide to post the
disclaimer question just because someone hasn't already asked it atleast 30
separate times in the preceding week each with a slightly differnet subject
line.... how 'lonely' would we be without it? Really! </sarcasm>
I like the sound of the $14.95 digital ID's as a solution to start with. I
will look into this a bit further ... and thanks for the tip about turning
on the S/MIME switch for the IMS.
Jon, if you can mail the the screenshots to me ([EMAIL PROTECTED])...
that would be immensly appreciated. There is a lot of research to be done on
this topic before any of this is implemented (and not much time to do
it...). Off I go to continue in my research b4 my next meeting....
MP
> -----Original Message-----
> From: Jon Lucas [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 13 September 2001 1:53 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Ops, didn't see Ed's comment.
>
> I guess this is still online?
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Jon Lucas
> Sent: Wednesday, September 12, 2001 8:47 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Count me in. I can offer quite a bit of insight into the
> VeriSign product
> and would love to participate. The time has come to bring
> some sense to
> this issue.
>
> Let's start the discussion off-line. Who wants to take the
> lead? Who will
> participate?
>
> Mark, one quick thought... If you want a quick way to get
> your execs to
> begin using digital IDs, since they are are probably not many
> in number, you
> can easily enroll for a individual IDs at
> http://www.verisign.com/products/class1/index.html for $14.95
> each. Once
> they have the certs, configure their Outlook clients to use
> the certs in
> Tools, Options, Security.
> Make sure to configure the IMC with the option "Clients
> support S/MIME"
> option or you will not be able to sign email.
>
> This way you can get them to try out the technology for
> relatiely little
> dollars. If their goal is to be able to encrypt mail between
> themselves,
> thus preventing you, and other admins etc. from reading it,
> this may be all
> you need to do.
>
> If you want, you can go one step further and use a utility
> certstuff.exe to
> upload the certificate to the GAL. This is not necessary but
> if you have a
> small group of people and they would rather use the GAL instead of
> individual contacts for each other, you can make it work with
> certstuff.exe.
> I'm still trying to figure out where to obtain certstuff.exe.
> It's been a
> while and I can't remember how MS released it.
> Anyway, by doing the above, you have basically done on a
> small scale, what
> GoSecure for Exchange will do in a large scale, with managed capacity.
> Why use a CA? Their certs chain up to a key that was already
> placed in your
> registry. In fact just about everyone in the world with very
> few exceptions
> will have this root. VeriSign as well as other CAs are in the MS Root
> Certificate program. This means that when you sign a message
> with your
> digital ID, and send it to someone, the certificate will be presented
> without prompting the person on the receiving end as to
> whether or not they
> wish to trust the certificate. It's an ease of use issue.
> Also, the same
> infrastructure that provides the s/mime certs can be part of
> an overall
> solution that provides certificates for ssl and ipsec for
> your websites and
> router/firewall/host encryption. Also, you can do all the
> issuance and
> management using the CAs infrastructure. You don't have to
> build anything.
>
> Signing the message not only provides a means to link it to a verified
> identity, it also adds a checksum to ensure that the contents were not
> altered. This capability works regardless of whether or not
> the person on
> the other end has an ID. Encryption will only work if the
> other party, like
> you, has a digital ID, or key, and you have exchange the
> public portion of
> the key.
>
> I can provide you some screen shots of what this looks like
> in Outlook if
> you wish.
>
> -Jon
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Steve Rollings
> Sent: Wednesday, September 12, 2001 5:35 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Mark,
> Jon raises the critical issues. It would be neat if we had a standard.
>
> Your CEO needs to be aware of these issues (not simply loss of data),
> prior to implementing any policy or software solution.
>
> Agreed, why don't we take this offline.
> Can we set up a small forum to discuss the various alternatives?
>
> Regards,
> Steve
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mark Peoples
> > Sent: Thursday, September 13, 2001 01:05
> > To: Exchange Discussions
> > Subject: RE: Encryption
> >
> >
> > I have raised the potential loss of data issue - For both
> > file and e-mail
> > encryption. This is one of our biggest concerns. By their
> > very nature...
> > Exec's seem to lose / misplace / delete information and get
> > themselves into
> > many, many interesting and mind boggling scenarios. Adding
> > another option
> > for them to cause problems makes me very uneasy and cautious indeed.
> >
> > The potential penetration of viruses issue is a good one...
> > that will be
> > raised at the next ooportunity I have to do so.
> >
> > Ed, I doubt the CEO is aware of the fact that he must
> > co-ordinate with his
> > recipients. This may be a turning point for the notion. Given
> > the company is
> > moving into a really busy period... having to co-ordinate
> > with recipients
> > increases the size of the 'project' significantly.
> >
> > Thanks and Peace to all.
> > MP
> >
> >
> >
> > > -----Original Message-----
> > > From: Ed Crowley [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, 13 September 2001 9:36 AM
> > > To: Exchange Discussions
> > > Subject: RE: Encryption
> > >
> > >
> > > Is your CEO aware that the person with whom he is
> > > corresponding must also
> > > use the same encryption tool he uses? That is, that such a
> > > desire requires
> > > coordination with all of his correspondents?
> > >
> > > Ed Crowley MCSE+Internet MVP
> > > Tech Consultant
> > > Compaq Computer Corporation (soon to be HP)
> > > All your base are belong to us.
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mark Peoples
> > > Sent: Wednesday, September 12, 2001 4:24 PM
> > > To: Exchange Discussions
> > > Subject: RE: Encryption
> > >
> > >
> > > Many, many Good points. Allow me to elaborate...
> > >
> > > CEO of company has ants in the pants about encryption all of
> > > a sudden. He
> > > wants his mail and the mail of the top exec's to be
> > > encrypted for both
> > > internal and external mail. As most CEO's do, He wants it
> > > yesterday but the
> > > people that need to know find out today.
> > >
> > > He also wants the ability to encrypt files. I will treat this
> > > as a side
> > > issue and not in the scope of this discussion because
> this has wider
> > > implications that need to be discussed internally before a
> > > solution can be
> > > sought. In fact the whole damn topic needs to be discussed
> > > off line... but
> > > I'll take care of that. I wholly with you agree about the
> > > security policy -
> > > that should come first and set the stage for the implementation.
> > >
> > > I guess what I am asking is, for e-mail encryption (that is
> > my primary
> > > concern at this stage) is it better for client based
> > > encryption via PGP
> > > addin to Outlook (or digital ID), or server based encryption?
> > > I see Mail
> > > Essentials from www.GFI.com have a server based solution. If
> > > we can, we
> > > would like to avoid having a Key Mgmt server... but if we
> > > need to get one
> > > then I am happy to take that course of action too.
> > >
> > > Our desktop support group have managed to crash 2 of 3
> > machines while
> > > testing Outlook PGP plugin. we are not looking too
> > favourably on that
> > > solution at the moment. Verisign digital ID's for the exec's
> > > seems to be the
> > > way to go at the moment...
> > >
> > > If it helps, we are running Win2k and E2k server. Mail
> > > clients are running
> > > either Win2k Professional or NT4 and OL 2000.
> > >
> > > Thanks for your assistance so far... VERY VERY helpful and
> > > encouraging!
> > > MP
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jon Lucas [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, 13 September 2001 2:12 AM
> > > > To: Exchange Discussions
> > > > Subject: RE: Encryption
> > > >
> > > >
> > > > Well, since it appears this thread has taken a turn for the
> > > > obscure, I will
> > > > respond to your original post.
> > > >
> > > > I usually just listen to this list, but this is actually
> > > > something of which
> > > > I have some level of knowledge. I won't discuss my
> > affiliation with
> > > > VeriSign except to say that I do not work for them. It is my
> > > > opinion that
> > > > VeriSign has the best solution for implementing a managed PKI
> > > > solution for
> > > > Exchange. We can discuss that in subsequent emails since I
> > > > am now getting
> > > > ahead of the encryption discussion.
> > > >
> > > > Where any discussion of PKI starts is with clearly defined
> > > > organizational
> > > > objectives. You simply do not want to try to deploy PKI as
> > > > your solution.
> > > > That is not a clearly defined objective. You need to
> > > > identify what it is
> > > > that you are interested in securing; you external
> > > communications with
> > > > partners, your internal communications between employees
> > > and HR, your
> > > > network communication, authentication, building access
> etc. Your
> > > > organization needs to have a security policy. This involves
> > > > your entire
> > > > enterprise, not just your Exchange organization. It may
> > > > sound like a rant,
> > > > but by implementing a method of encryption, you can
> > > > potentially undermine
> > > > other objectives such as protecting your company from viruses.
> > > >
> > > > For example, you may decide to implement a solution that
> > gives every
> > > > employee a digital ID and ensures that it gets inserted into
> > > > the Exchange
> > > > GAL or Active Directory. This enables any employee to simply
> > > > sign and/or
> > > > encrypt email to others in the directory. You may also as
> > > > part of your
> > > > security policy, require employees to sign all email messages
> > > > by default.
> > > > Should that employee receive a virus in email, most likely
> > > > the virus will
> > > > proliferate with signed messages. Other employees will
> > > > undoubtedly produce
> > > > further infections. But wait, you have antivirus software
> > > > correct? Your
> > > > antivirus software may be unable to effectively disinfect a
> > > > signed message.
> > > > It will most definitely be unable to disinfect if this
> > > happens with an
> > > > encrypted message.
> > > >
> > > > Not likely? I have seen it happen using Exchange and x.509
> > > > certificates and
> > > > Groupshield. This is a little secret that no one is talking
> > > > about right
> > > > now. Sooner or later someone is going to write a virus that
> > > > takes advantage
> > > > of this type of configuration. Right now I wouldn't expect
> > > > it, but as more
> > > > people deploy this kind of solution, I would expect a virus
> > > > writer to alter
> > > > their code.
> > > >
> > > > Understanding the implications of encryption and having
> > > > clearly defined
> > > > objectives will save your backside when the fecal mass hits
> > > > that thing that
> > > > thing you just turned on in your office to cool you off
> > > because you're
> > > > sweating while you rush to manually clean out signed lovebugs
> > > > from your
> > > > information store and hope none of your users open and
> execute the
> > > > attachment on an email message that just came from a fellow
> > > > employee, signed
> > > > with a digital ID.
> > > >
> > > > End of rant....
> > > >
> > > > Some technical information...
> > > >
> > > > You can obtain a digital ID from VeriSign, or one of the
> > > > other CAs, for
> > > > signing email. Make sure your IMC is configured with the
> > > > option "Clients
> > > > support S/MIME" enabled. This is not enabled by default.
> > > >
> > > > Your turn.
> > > >
> > > > -Jon
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Mark Peoples
> > > > Sent: Tuesday, September 11, 2001 4:21 PM
> > > > To: Exchange Discussions
> > > > Subject: Encryption
> > > >
> > > >
> > > > Hi,
> > > > I have checked the FAQ and have not found any suggestions...
> > > > so I will put
> > > > it to the experts.
> > > >
> > > > Does anyone have a preferred product or solution for e-mail
> > > > encryption?
> > > > Management here are looking at installing PGP and are also
> > > > looking at a
> > > > Verisign product. Does anyone have any good / bad experience
> > > > with either of
> > > > these products or any others?
> > > >
> > > > Previously I have had a few bad experiences with PGP software
> > > > so I may be a
> > > > bitbiased against it - hence I am looking to see what the
> > > > general consensus
> > > > is...
> > > >
> > > > Thanks in advance,
> > > > MP
> > > >
> > > >
> _________________________________________________________________
> > > > List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> > >
> > > _________________________________________________________________
> > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
