Understanding the Exchange - PKI Combination


Understanding the Exchange “PKI Combination

Digital certificates (sometimes called digital IDs) are the most basic and prolific item in any PKI environment. These certificates and their associated private keys ultimately provide one of three functions: encryption, authentication, or digital signatures and nonrepudiation. In Exchange, these functions translate to very specific tasks . A digital ID can be in the form of an X.509 certificate or an Extensible rights Markup Language (XrML) license, such as in the rights management (RM) model, which I explain later.

With respect to authentication, a message that has been digitally signed with a certificate validates that the sender is authentic and corresponds to a verifiable identity. We then trust the validity of the message because of the trust relationship we have with the organization that issued the certificate. In other words, you know Alice, and she knows Bob. You trust that Bob is who he says he is because Alice vouches for him. It helps if Alice is also rather paranoid and verifies people s identity when she meets them; this makes her unpopular at parties, but makes it easier for you to trust her.

Of course, you can t always depend on the Alices of the world; to take their place, we use a CA to vouch for people, services, or servers. A CA is known as a trusted third party (TTP), and it vouches for the identity of a user , machine, or service by binding a public key to a name in the form of a digital certificate. Domain controllers, license servers, rights management servers, and other TTPs play other roles that we ll discuss throughout the rest of the book. In an Exchange infrastructure, these TTPs issue user identity certificates, machine certificates, and publisher licenses for protected content. In addition to issuing certificates, the CA has some other responsibilities, including establishing and maintaining relationships with other CAs, revoking certificates, and publishing revocation information to relying parties. Microsoft has a good white paper that explains more of the mechanics of certificate infrastructures and trust hierarchies, available at http://www.microsoft.com/technet/prodtechnol/WinXPPro/support/tshtcrl.asp .

Microsoft Windows 2000 Server and Microsoft Windows Server 2003 provide a robust infrastructure and toolset that can be used alone or in combination with third-party CA services. Microsoft Windows Rights Managements Services (RMS) is a component that can be installed on top of Windows Server 2003 to provide RM functionality to an Exchange infrastructure. The Microsoft Exchange 2000 Server KMS component provides additional functionality to the Windows 2000 Server or Windows Server 2003 CA for an Exchange infrastructure, such as enrollment, revocation, and key archival. This chapter covers using Exchange 2000 Server KMS with a Windows 2000 Server or Windows Server 2003 CA as well as Exchange Server 2003 without KMS in a Windows Server 2003 environment. Although this chapter also introduces and mentions RMS, the primary focus is on the Windows Server 2003 CA functionality and integration with an Exchange secure messaging infrastructure.

Note  

Notice that I didn t mention Microsoft Outlook. In fact, I don t mention it later in the chapter either ”this chapter is all about the Windows Certificate Services infrastructure and Exchange. The mechanics of using certificates with Outlook is covered in Chapter 13, Securing Outlook.




Secure Messaging with Microsoft Exchange Server 2003
Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)
ISBN: 0735619905
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net