Re: Encryption

Agree completely and your last point was the point I was trying to make.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:inn8f3tovevf3nmfnv6ucoaq1e34bh09o9@xxxxxxxxxx
"Ed Crowley [MVP]" <curspice@xxxxxxxxxxxxxx> wrote:

If you want the mail encrypted between users, each user needs a
certificate.
I suppose you could give everyone the same certificate, but then they'd be
able to decrypt each other's mail, kind of defeating the purpose. If you
want to encrypt mail between servers, you can implement TLS, and for that
you need a server certificate.

True, but the cert can be a "self issued" one if you just use it for
encrypting the data and not for authentication.

In either case, the correspondents need to
be able to recognize each other's certificates.

But to use TLS you need not trust the other's cert. To get a trusted
SSL cert for a server isn't expensive any more.

In the case of users, they
have to swap and store public certificates. In the case of servers, they
have to trust each other's roots.

That's true only if you want to use the cert for authentication.

No matter how you try to implement this,
it's going to be a lot of work.

The setup of TLS should take more than a half-hour. Provisioning the
individuals with certs issued by trusted CAs is more work, and more
expensive. Getting people to use them properly is the hard part. Using
them with a system that uses another encryption system is impossible.

IBE is expensive.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx
mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx
mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx


.