This is exactly my argument behind the question. My CEO was quite insistent that there is some way to set permissions on this. My argument was, even if there is a way, what is the point based on the "pen and paper" example you used. I agree 100%, but he argued so incessantly I had to ask. Thanks for the help.
________________________________ From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] Sent: Sun 7/30/2006 12:26 PM To: Focus-MS Subject: Re: MS Exchange I think you may have misunderstood the OP's question, or might have some misconceptions of what RMS is and how it works... RMS is a solution for rights management within an organization, or between organizations that have agreed with each other beforehand to exchange RMS content. And as such, they have explicitly chosen to trust each other to the degree that they actually import each other's XrML license certificates into the RMS infrastructure for cross-organization policy enforcement. When I said "RMS-enabled applications," I was talking about actually enabling the applications to use RMS functions by joining the machines to an RMS infrastructure. Just because I have Outlook doesn't mean that you can send me an SMTP email and set some arbitrary permissions on it that prevent me from forwarding it. Now, if you really want to, you can have a non-RMS, untrusted recipient receive the message via MSIRMS, but then they have to have a passport account that you already have explicit knowledge about and they have to have specific RMS voodoo dolls installed. The OP asked: >> Even after the email makes it outside of our network, so someone that >> accesses it from a different non-windows based application? i.e. >> mac/unix/et al The answer is "no" even with RMS. RMS, as cool as it is, seeks to provide technical mechanisms to enforce policy. It is not a security solution. To play with RMS, some level of MSFT software must be utilized, be it an RMS-enabled application or an RMS plug-in for IE. As with all policy enforcement, it only works with people you can trust. If you send me something that I can read, I can really do anything I want with it. Hell, I'll just hit PrtScr and email the bitmap, or read it aloud into Word with speech recognition. I've even heard of these things called "pencil" and "paper" where one can actually etch graphite residue onto some parchment material, but I thinks that's just urban legend ;) Once it leaves your policy-enforced organization, all bets are off. t On 7/30/06 2:27 AM, "Miha Pihler" <[EMAIL PROTECTED]> spoketh to all: > True, this will only work on RMS Enabled applications which include > Office applications (Outlook, Word, Excel, PowerPoint ...), Visio, IE, > Acrobat Reader with 3rd party add-on. There are some others planed for > next version of RMS. > > Also true that if you receive RMS protected document you don't have to > play with my RMS policy -- but in this case you are left with encrypted > file if it helps you... ;-) > > The owner of data or e-mail sender must set what actions are allowed on > e-mail/document (e.g. who can open it, can it be printed, can it be > forwarded, what are time limits on the document), before sending e-mail > or document out... > What I like about this is if someone who is allowed to forward e-mails > sends it out of organization either by mistake or intentionally the > recipient still won't be allowed to open it since the data owner didn't > add him as someone who can open the e-mail or document. > > Or course if data owner forgets to set RMS permissions before sending > e-mail or document everyone will be able to read, forward and print this > document/e-mail. > > Mike > > -----Original Message----- > From: Thor (Hammer of God) [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 30, 2006 2:04 AM > To: Miha Pihler; Kirby Boteler; [EMAIL PROTECTED]; Focus-MS > Subject: Re: MS Exchange > > On in RMS-Enabled applications. If I don't want to "play" with your RMS > policy, I don't have to. If the RMS policy allows the email to leave > your RMS protected infrastructure and it makes it to my SMTP server, I > can do whatever I want with it from there. > > t > > > On 7/29/06 4:14 PM, "Miha Pihler" <[EMAIL PROTECTED]> spoketh to all: > >> Yes. Once the e-mail is out of the network the recipient has to check >> in with RMS server which is still in your network. RMS server will ask > >> for e.g. username and password and if the person authenticates >> successfully and is in the right group it will allow the e-mail to be >> opened (e-mail is actually encrypted IIRC so when you authenticate you > >> get a private key that will allow you to decrypt the e-mail). >> >> This way you can revoke access to the e-mail or document at any time >> unless you allow credentials to be cached which is configurable. You >> might want to allow cached credentials to allow opening of a document >> while offline. If you don't allow caching of credentials - client will > >> be required to contact RMS server any time he or she wants to open an >> e-mail or document. >> You can also limit access to the document by date. After certain date >> access to the document is no longer available. >> >> Mike >> >> -----Original Message----- >> From: Kirby Boteler [mailto:[EMAIL PROTECTED] >> Sent: Sunday, July 30, 2006 1:03 AM >> To: Miha Pihler; [EMAIL PROTECTED]; [EMAIL PROTECTED]; >> [email protected] >> Subject: RE: MS Exchange >> >> Even after the email makes it outside of our network, so someone that >> accesses it from a different non-windows based application? i.e. >> mac/unix/et al --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
