Actually, I was so desperate for pen-pals who use digital IDs that I signed my last posting. Unfortunately, the WEDI listserve adds a text trailer (telling you how to un-subscribe) at the bottom of the e-mail, thus invalidating the signature. Reliable S/MIME aware mail-clients will report that the signature (not the certificate, though) is invalid since the message has indeed been tampered with (by the list server). Everything worked as it should! I normally turn off signing when posting to a listserve because either it (1) adds or modifies text, or (2) forbids attachments (which signatures are implemented as).
Digital IDs will certainly expire - that's one of their "features." But you can certainly read archived e-mails even with an expired certificate: the e-mail client will simply warn you that the certificate used for decrypting is expired before going ahead and decrypting the message. This has never been a problem: I simply save the few certificates that I've ever owned (and thus I can decrypt all messages that I've ever sent or received: my "sent" copies, like messages sent to me, are encrypted using *my* public key). Certainly, as I've acknowledged, there's a little tweaking here and there to make this stuff work, but it's really no more complicated than network settings and things like that. Centralized key escrow and archive that will be appropriate in the corporate setting add even more complexity. But truthfully, I thought we were talking about interoperability, not the admittedly extra (and predictable) expense of key management. I didn't quite follow the business about viruses, and wouldn't know why using X.509 and S/MIME makes one more susceptible to them. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "William J. Kammerer" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, 29 April, 2002 09:23 PM Subject: RE: Transmitting Patient Information via Internet (Email) Hate to tell you this, but my outlook reports your certificate invalid! So much for theory. In practice, certificates have a significant number of management and administration problems. They expire and can make archived email inaccessible. They require significantly more help desk and seat management time. Additionally, if you have a certificate, you are vulnerable to its use by email based virus that send from your email client once infected. At least web-based / internet browser viewed secure email is secure and reliable based upon the server SSL certificate (different than the distributed certificate that accompanies regular email). Though again the problem with both is lack of Trust. The network is as much the problem as anything. There are "sniffers" that can capture email passing through most ISPs, and MIME can be broken. New "harvester" worms infect your email client and copy/resend emails based upon special criteria. In my opinion, only if there is a true trusted network, can you reasonably assure compliance. Outlook is a great product, but at this time, I personally do not see it as HIPAA compliant for either the Exchange or Internet Email clients, where the email travels over the web. Products like Lok, and any others like it offer a fully secure and trusted solution. -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 7:06 PM To: [EMAIL PROTECTED] Subject: Re: Transmitting Patient Information via Internet (Email) I religiously sign using X.509 certificates (digital IDs), and have had very few problems corresponding with either folks who have given me their certificates (in which case e-mails can be encrypted), or those who have no certificates (in which case, I merely sign). The latter "un-certificated" folks will most likely receive my e-mail showing a red ribbon indicating the message has been signed and giving them an automatic means of importing my certificate (public key) - assuming they are using an S/MIME compatible e-mail client. Others (using AOL - which doesn't support any standard e-mail protocols, let alone S/MIME - or free web browser e-mail) will merely see a pkcs7-signature attachment, which they can safely ignore. My correspondents have used any number of e-mail clients: Outlook, Outlook Express or Netscape Communicator (on Windows or the Mac) and all have worked flawlessly as far as signing and encryption are concerned. Any number of encryption methods have been used among us, e.g., 40-bit RC2, DES and Triple-DES, with nary a concern. Sometimes, though, we have to futz a little to get a digital ID properly associated with an address book entry. But once that's done, secure e-mail Digital IDs or certificates from any number of CAs - usually Thawte or Verisign - have never caused a problem with interoperability using these e-mail clients. I've even had correspondents (who don't trust CAs for some reason) give me self-signed certificates, which I've gotten to work easily. The only serious problem I have run into is one zealous network administrator at a correspondent's company who thinks pkcs7-signature attachments are viruses, and has tuned the virus scanner to throw away my signed missives: I always have to remember to reset the "Sign" button when sending to that company. Other network administrators, I'm sure, are annoyed my correspondents use encryption, as it gets in their way of reading all incoming and outgoing e-mail in their copious free time. In short, any e-mail client which advertises itself as supporting S/MIME has always seemed to work for me and my correspondents. The few technical gotchas are insignificant compared to the problem of getting folks to try it out. All the software they need for secure e-mail is probably already sitting on their desktop: it's just a social engineering problem to deal with the resistance. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
