Hi all,
This may be a dumb question, so I apologise in advance...
If we get each executive a Verisign $15 digital ID... does it apply to
internal mail as well as external mail? Without time and resources to test
all of this I can only presume that internal mail would be treated (signed
and encrypted) in the same fashion as external mail...
Also, Can anyone confirm that
The recipient will still need to go to the Verisign website and download the
public key or have the sender forward the public key... for encrypted
messages. For digitally signed messages that are not encrypted... then this
does not apply and the recipient can simply read the message and feel all
warm and fuzzy inside knowing that the contents are 100% legit.
Thanks.
MP
> -----Original Message-----
> From: Jon Lucas [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 13 September 2001 1:47 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Count me in. I can offer quite a bit of insight into the
> VeriSign product
> and would love to participate. The time has come to bring
> some sense to
> this issue.
>
> Let's start the discussion off-line. Who wants to take the
> lead? Who will
> participate?
>
> Mark, one quick thought... If you want a quick way to get
> your execs to
> begin using digital IDs, since they are are probably not many
> in number, you
> can easily enroll for a individual IDs at
> http://www.verisign.com/products/class1/index.html for $14.95
> each. Once
> they have the certs, configure their Outlook clients to use
> the certs in
> Tools, Options, Security.
> Make sure to configure the IMC with the option "Clients
> support S/MIME"
> option or you will not be able to sign email.
>
> This way you can get them to try out the technology for
> relatiely little
> dollars. If their goal is to be able to encrypt mail between
> themselves,
> thus preventing you, and other admins etc. from reading it,
> this may be all
> you need to do.
>
> If you want, you can go one step further and use a utility
> certstuff.exe to
> upload the certificate to the GAL. This is not necessary but
> if you have a
> small group of people and they would rather use the GAL instead of
> individual contacts for each other, you can make it work with
> certstuff.exe.
> I'm still trying to figure out where to obtain certstuff.exe.
> It's been a
> while and I can't remember how MS released it.
> Anyway, by doing the above, you have basically done on a
> small scale, what
> GoSecure for Exchange will do in a large scale, with managed capacity.
> Why use a CA? Their certs chain up to a key that was already
> placed in your
> registry. In fact just about everyone in the world with very
> few exceptions
> will have this root. VeriSign as well as other CAs are in the MS Root
> Certificate program. This means that when you sign a message
> with your
> digital ID, and send it to someone, the certificate will be presented
> without prompting the person on the receiving end as to
> whether or not they
> wish to trust the certificate. It's an ease of use issue.
> Also, the same
> infrastructure that provides the s/mime certs can be part of
> an overall
> solution that provides certificates for ssl and ipsec for
> your websites and
> router/firewall/host encryption. Also, you can do all the
> issuance and
> management using the CAs infrastructure. You don't have to
> build anything.
>
> Signing the message not only provides a means to link it to a verified
> identity, it also adds a checksum to ensure that the contents were not
> altered. This capability works regardless of whether or not
> the person on
> the other end has an ID. Encryption will only work if the
> other party, like
> you, has a digital ID, or key, and you have exchange the
> public portion of
> the key.
>
> I can provide you some screen shots of what this looks like
> in Outlook if
> you wish.
>
> -Jon
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Steve Rollings
> Sent: Wednesday, September 12, 2001 5:35 PM
> To: Exchange Discussions
> Subject: RE: Encryption
>
>
> Mark,
> Jon raises the critical issues. It would be neat if we had a standard.
>
> Your CEO needs to be aware of these issues (not simply loss of data),
> prior to implementing any policy or software solution.
>
> Agreed, why don't we take this offline.
> Can we set up a small forum to discuss the various alternatives?
>
> Regards,
> Steve
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mark Peoples
> > Sent: Thursday, September 13, 2001 01:05
> > To: Exchange Discussions
> > Subject: RE: Encryption
> >
> >
> > I have raised the potential loss of data issue - For both
> > file and e-mail
> > encryption. This is one of our biggest concerns. By their
> > very nature...
> > Exec's seem to lose / misplace / delete information and get
> > themselves into
> > many, many interesting and mind boggling scenarios. Adding
> > another option
> > for them to cause problems makes me very uneasy and cautious indeed.
> >
> > The potential penetration of viruses issue is a good one...
> > that will be
> > raised at the next ooportunity I have to do so.
> >
> > Ed, I doubt the CEO is aware of the fact that he must
> > co-ordinate with his
> > recipients. This may be a turning point for the notion. Given
> > the company is
> > moving into a really busy period... having to co-ordinate
> > with recipients
> > increases the size of the 'project' significantly.
> >
> > Thanks and Peace to all.
> > MP
> >
> >
> >
> > > -----Original Message-----
> > > From: Ed Crowley [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, 13 September 2001 9:36 AM
> > > To: Exchange Discussions
> > > Subject: RE: Encryption
> > >
> > >
> > > Is your CEO aware that the person with whom he is
> > > corresponding must also
> > > use the same encryption tool he uses? That is, that such a
> > > desire requires
> > > coordination with all of his correspondents?
> > >
> > > Ed Crowley MCSE+Internet MVP
> > > Tech Consultant
> > > Compaq Computer Corporation (soon to be HP)
> > > All your base are belong to us.
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> Mark Peoples
> > > Sent: Wednesday, September 12, 2001 4:24 PM
> > > To: Exchange Discussions
> > > Subject: RE: Encryption
> > >
> > >
> > > Many, many Good points. Allow me to elaborate...
> > >
> > > CEO of company has ants in the pants about encryption all of
> > > a sudden. He
> > > wants his mail and the mail of the top exec's to be
> > > encrypted for both
> > > internal and external mail. As most CEO's do, He wants it
> > > yesterday but the
> > > people that need to know find out today.
> > >
> > > He also wants the ability to encrypt files. I will treat this
> > > as a side
> > > issue and not in the scope of this discussion because
> this has wider
> > > implications that need to be discussed internally before a
> > > solution can be
> > > sought. In fact the whole damn topic needs to be discussed
> > > off line... but
> > > I'll take care of that. I wholly with you agree about the
> > > security policy -
> > > that should come first and set the stage for the implementation.
> > >
> > > I guess what I am asking is, for e-mail encryption (that is
> > my primary
> > > concern at this stage) is it better for client based
> > > encryption via PGP
> > > addin to Outlook (or digital ID), or server based encryption?
> > > I see Mail
> > > Essentials from www.GFI.com have a server based solution. If
> > > we can, we
> > > would like to avoid having a Key Mgmt server... but if we
> > > need to get one
> > > then I am happy to take that course of action too.
> > >
> > > Our desktop support group have managed to crash 2 of 3
> > machines while
> > > testing Outlook PGP plugin. we are not looking too
> > favourably on that
> > > solution at the moment. Verisign digital ID's for the exec's
> > > seems to be the
> > > way to go at the moment...
> > >
> > > If it helps, we are running Win2k and E2k server. Mail
> > > clients are running
> > > either Win2k Professional or NT4 and OL 2000.
> > >
> > > Thanks for your assistance so far... VERY VERY helpful and
> > > encouraging!
> > > MP
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jon Lucas [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, 13 September 2001 2:12 AM
> > > > To: Exchange Discussions
> > > > Subject: RE: Encryption
> > > >
> > > >
> > > > Well, since it appears this thread has taken a turn for the
> > > > obscure, I will
> > > > respond to your original post.
> > > >
> > > > I usually just listen to this list, but this is actually
> > > > something of which
> > > > I have some level of knowledge. I won't discuss my
> > affiliation with
> > > > VeriSign except to say that I do not work for them. It is my
> > > > opinion that
> > > > VeriSign has the best solution for implementing a managed PKI
> > > > solution for
> > > > Exchange. We can discuss that in subsequent emails since I
> > > > am now getting
> > > > ahead of the encryption discussion.
> > > >
> > > > Where any discussion of PKI starts is with clearly defined
> > > > organizational
> > > > objectives. You simply do not want to try to deploy PKI as
> > > > your solution.
> > > > That is not a clearly defined objective. You need to
> > > > identify what it is
> > > > that you are interested in securing; you external
> > > communications with
> > > > partners, your internal communications between employees
> > > and HR, your
> > > > network communication, authentication, building access
> etc. Your
> > > > organization needs to have a security policy. This involves
> > > > your entire
> > > > enterprise, not just your Exchange organization. It may
> > > > sound like a rant,
> > > > but by implementing a method of encryption, you can
> > > > potentially undermine
> > > > other objectives such as protecting your company from viruses.
> > > >
> > > > For example, you may decide to implement a solution that
> > gives every
> > > > employee a digital ID and ensures that it gets inserted into
> > > > the Exchange
> > > > GAL or Active Directory. This enables any employee to simply
> > > > sign and/or
> > > > encrypt email to others in the directory. You may also as
> > > > part of your
> > > > security policy, require employees to sign all email messages
> > > > by default.
> > > > Should that employee receive a virus in email, most likely
> > > > the virus will
> > > > proliferate with signed messages. Other employees will
> > > > undoubtedly produce
> > > > further infections. But wait, you have antivirus software
> > > > correct? Your
> > > > antivirus software may be unable to effectively disinfect a
> > > > signed message.
> > > > It will most definitely be unable to disinfect if this
> > > happens with an
> > > > encrypted message.
> > > >
> > > > Not likely? I have seen it happen using Exchange and x.509
> > > > certificates and
> > > > Groupshield. This is a little secret that no one is talking
> > > > about right
> > > > now. Sooner or later someone is going to write a virus that
> > > > takes advantage
> > > > of this type of configuration. Right now I wouldn't expect
> > > > it, but as more
> > > > people deploy this kind of solution, I would expect a virus
> > > > writer to alter
> > > > their code.
> > > >
> > > > Understanding the implications of encryption and having
> > > > clearly defined
> > > > objectives will save your backside when the fecal mass hits
> > > > that thing that
> > > > thing you just turned on in your office to cool you off
> > > because you're
> > > > sweating while you rush to manually clean out signed lovebugs
> > > > from your
> > > > information store and hope none of your users open and
> execute the
> > > > attachment on an email message that just came from a fellow
> > > > employee, signed
> > > > with a digital ID.
> > > >
> > > > End of rant....
> > > >
> > > > Some technical information...
> > > >
> > > > You can obtain a digital ID from VeriSign, or one of the
> > > > other CAs, for
> > > > signing email. Make sure your IMC is configured with the
> > > > option "Clients
> > > > support S/MIME" enabled. This is not enabled by default.
> > > >
> > > > Your turn.
> > > >
> > > > -Jon
> > > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Mark Peoples
> > > > Sent: Tuesday, September 11, 2001 4:21 PM
> > > > To: Exchange Discussions
> > > > Subject: Encryption
> > > >
> > > >
> > > > Hi,
> > > > I have checked the FAQ and have not found any suggestions...
> > > > so I will put
> > > > it to the experts.
> > > >
> > > > Does anyone have a preferred product or solution for e-mail
> > > > encryption?
> > > > Management here are looking at installing PGP and are also
> > > > looking at a
> > > > Verisign product. Does anyone have any good / bad experience
> > > > with either of
> > > > these products or any others?
> > > >
> > > > Previously I have had a few bad experiences with PGP software
> > > > so I may be a
> > > > bitbiased against it - hence I am looking to see what the
> > > > general consensus
> > > > is...
> > > >
> > > > Thanks in advance,
> > > > MP
> > > >
> > > >
> _________________________________________________________________
> > > > List posting FAQ:
http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> > >
> > > _________________________________________________________________
> > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > > Archives: http://www.swynk.com/sitesearch/search.asp
> > > To unsubscribe: mailto:[EMAIL PROTECTED]
> > > Exchange List admin: [EMAIL PROTECTED]
> > >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
> >
> > _________________________________________________________________
> > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> > Archives: http://www.swynk.com/sitesearch/search.asp
> > To unsubscribe: mailto:[EMAIL PROTECTED]
> > Exchange List admin: [EMAIL PROTECTED]
> >
>
> _________________________________________________________________
> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
> Archives: http://www.swynk.com/sitesearch/search.asp
> To unsubscribe: mailto:[EMAIL PROTECTED]
> Exchange List admin: [EMAIL PROTECTED]
>
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
