Signing Messages

Now that you have a certificate on your system, you’re ready to start digitally signing your outgoing messages so that recipients can verify your identity. When you send a digitally signed message, Outlook 2007 sends the original message and an encrypted copy of the message with your digital signature. The recipient’s e-mail application compares the two versions of the message to determine whether they are the same. If they are, no one has tampered with the message. The digital signature also enables the recipient to verify that the message is from you.

Understanding S/MIME and Clear-Text Options

Secure/Multipurpose Internet Mail Extensions (S/MIME), an Internet standard, is the mechanism in Outlook 2007 that enables you to digitally sign and encrypt messages. The e-mail client handles the encryption and decryption required for both functions.

Users with e-mail clients that don’t support S/MIME can’t read digitally signed messages unless you send the message as clear text (unencrypted). Without S/MIME support, the recipient is also unable to verify the authenticity of the message or verify that the message hasn’t been altered. Without S/MIME, then, digital signatures are relatively useless. However, Outlook 2007 does offer you the option of sending a digitally signed message as clear text to recipients who lack S/MIME support. If you need to send the same digitally signed message to multiple recipients-some of whom have S/MIMEcapable e-mail clients and some of whom do not-digitally signing the message allows those with S/MIME support to authenticate it, and including the clear-text message allows the others to at least read it.

The following section explains how to send a digitally signed message, including how to send the message in clear text for those recipients who require it.

Adding Your Digital Signature

Follow these steps to digitally sign an outgoing message:

1. Compose the message in Outlook 2007.

2. On the Message tab in the Options group, click the Message Options Dialog Box Launcher (in the lower-right corner) to open the Message Options dialog box.

3. Click Security Settings to open the Security Properties dialog box, as shown in Figure 24–10.

   
   Figure 24–10: You can add a digital signature using the Security Properties dialog box.

4. Select Add Digital Signature To This Message, and then select other check boxes as indicated here:

   • Send This Message As Clear Text Signed  Select this check box to include a clear-text copy of the message for recipients who don’t have S/MIMEcapable e-mail applications. Clear this check box to prevent the message from being read by mail clients that don’t support S/MIME.

   • Request S/MIME Receipt For This Message  Select this check box to request a secure receipt to verify that the recipient has validated your digital signature. When the message has been received and saved, and your signature is verified (even if the recipient doesn’t read the message), you receive a return receipt. No receipt is sent if your signature is not verified.

5. If necessary, select security settings in the Security Setting drop-down list. (If you have not yet configured your security options, you can do so by clicking Change Settings.)

   For details on security option configuration, see “Creating and Using Security Profiles” on the next page.

6. Click OK to add the digital signature to the message.

For details about how to add such a button to the toolbar, see “You Need a Faster Way to Digitally Sign a Message” on page 703.

Setting Global Security Options

To save time, you can configure your security settings to apply globally to all messages, changing settings only as needed for certain messages. In Outlook 2007, choose Tools, Trust Center, and then click E-Mail Security. On the E-Mail Security page, shown in Figure 24–11, you can set security options using the following list as a guide.

• Encrypt Contents And Attachments For Outgoing Messages  If most of the messages you send need to be encrypted, select this check box to encrypt all outgoing messages by default. You can override encryption for a specific message by changing the message’s properties when you compose it. Clear this check box if the majority of your outgoing messages do not need to be encrypted.

For information about encryption, see “Encrypting Messages” on page 714.

• Add Digital Signature To Outgoing Messages  If most of your messages need to be signed, select this check box to digitally sign all outgoing messages by default. Clear this check box if most of your messages do not need to be signed; you will be able to digitally sign specific messages as needed when you compose them.

• Send Clear Text Signed Message When Sending Signed Messages  If you need to send digitally signed messages to recipients who do not have S/MIME capability, select this check box to send clear-text digitally signed messages by default. You can override this option for individual messages when you compose them. In most cases, you can clear this check box because most e-mail clients support S/MIME.

• Request S/MIME Receipt For All S/MIME-Signed Messages  Select this check box to request a secure receipt for all S/MIME messages by default. You can override the setting for individual messages when you compose them. A secure receipt indicates that your message has been received and the signature verified. No receipt is returned if the signature is not verified.

• Settings  Click Settings to configure more-advanced security settings and create additional security setting groups. For details, see the following section, “Creating and Using Security Profiles.”

• Publish To GAL  Click this button to publish your certificates to the Global Address List (GAL), making them available to other Exchange Server users in your organization who might need to send you encrypted messages. This is an alternative to sending the other users a copy of your certificate.

Figure 24–11: Use the E-Mail Security page of the Trust Center to configure options for digital signing and encryption.

Creating and Using Security Profiles

Although in most cases you need only one set of Outlook 2007 security settings, you can create and use multiple security profiles. For example, you might send most of your secure messages to other Exchange Server users and only occasionally send secure messages to Internet recipients. In that situation, you might maintain two sets of security settings: one that uses Exchange Server security and another that uses S/MIME, each with different certificates and hash algorithms (the method used to secure the data).

You can configure security profiles using the Change Security Settings dialog box, which you access through the Settings button on the E-Mail Security page of the Trust Center dialog box. One of your security profiles acts as the default, but you can select a different security profile any time it’s needed.

Follow these steps to create and manage your security profiles:

1. In Outlook 2007, choose Tools, Trust Center, and then click the E-Mail Security page.

2. Click Settings to display the Change Security Settings dialog box, shown in Figure 24–12. Set the options described in the following section as needed. If you are creating a new set of settings, start by clicking New prior to changing settings because selecting New clears all other setting values.

   • Security Settings Name  Specify the name for the security profile that should appear in the Default Setting drop-down list on the Security tab.

   • Cryptographic Format  In this drop-down list, select the secure message format for your messages. The default is S/MIME, but you also can select Exchange Server Security. Use S/MIME if you’re sending secure messages to Internet recipients. You can use either S/MIME or Exchange Server Security when sending secure messages to recipients on your Exchange Server.

   • Default Security Setting For This Cryptographic Message Format  Select this check box to make the specified security settings the default settings for the message format you selected in the Cryptography Format dropdown list.

   • Default Security Setting For All Cryptographic Messages  Select this check box to make the specified security settings the default settings for all secure messages for both S/MIME and Exchange Server security.

   • Security Labels  Click to configure security labels, which display security information about a specific message and restrict which recipients can open, forward, or send that message. Security labels rely on security policies implemented in Windows 2000 or later.

   • New  Click to create a new set of security settings.

   • Delete  Click to delete the currently selected group of security settings.

   • Password  Click to specify or change the password associated with the security settings.

   • Signing Certificate  This read-only information indicates the certificate being used to digitally sign your outgoing messages. Click Choose if you want to choose a different certificate. Once you choose a signing certificate, all the fields in the Certificates and Algorithms are automatically populated.

   You assign the default signing and encryption certificates through Outlook 2007’s global security settings; for information, see “Setting Global Security Options” on page 699.

   • Hash Algorithm  Use this drop-down list to change the hash algorithm used to encrypt messages. Hash algorithm options include MD5, SHAl, SHA256, SHA384, and SHA512. For more information on these hashing algorithms, see the following article: “The .Net Developers Guide Cryptography Overview” (http://windowssdk.msdn.microsoft.com/en-us/library/92f9ye3s.aspx.)

   • Encryption Certificate  This read-only information indicates the certificate being used to encrypt your outgoing messages. Click Choose if you want to specify a different certificate.

   • Encryption Algorithm  Use this drop-down list to change the encryption algorithm used to encrypt messages. The encryption algorithm is the mathematical method used to encrypt the data.

   • Send These Certificates With Signed Messages  Select this check box to include your certificate with outgoing messages. Doing so allows recipients to send encrypted messages to you.

     
     Figure 24–12: Configure your security profiles in the Change Security Settings dialog box.

3. Click OK to close the Change Security Settings dialog box.

4. In the Default Setting drop-down list on the E-Mail Security page, select the security profile you want to use by default and then click OK.

Reading Signed Messages

When you receive a digitally signed message, the Inbox displays a Secure Message icon in place of the standard envelope icon (see Figure 24–14) and shows a Signature button in the Reading Pane. The message form also includes a Signature button (see Figure 24–15). You can click the Signature button in either the Reading Pane or the form to display information about the certificate.

Figure 24–14: Outlook 2007 displays a different icon in the Inbox for secure messages.

Figure 24–15: Click the Signature button on the message form to view certificate information.

Because Outlook 2007 supports S/MIME, you can view and read a digitally signed message without taking any special action. How Outlook 2007 treats the message, however, depends on the trust relationship of the associated certificate. If the certificate is not explicitly distrusted, Outlook 2007 displays the message in the Reading Pane. If the certificate is explicitly not trusted, you’ll see only an error message in the Reading Pane header, as shown in Figure 24–16. When you open the message, you are alerted that there’s a problem with the sender’s certificate and the text of the message is not displayed. Outlook 2007 displays a dialog box that notes the error when you open the message (see Figure 24–17).

Figure 24–16: Outlook 2007 displays an error message if the digital signature of an incoming message is not trusted.

Figure 24–17: Outlook 2007 warns you when you open a message that has a certificate problem.

There is no danger in opening a message with an invalid certificate. However, you should verify that the message really came from the person listed as the sender and is not a forged message.

Changing Certificate Trust Relationships

To have Outlook 2007 authenticate a signed message and treat it as being from a trusted sender, you must add the certificate to your list of trusted certificates. An alternative is to configure Outlook 2007 to inherit trust for a certificate from the certificate’s issuer. For example, assume that you have a CA in your enterprise. Instead of configuring each sender’s certificate to be trusted explicitly, you can configure Outlook 2007 to inherit trust from the issuing CA-in other words, Outlook 2007 will implicitly trust all certificates issued by that CA.

Follow these steps to configure the trust relationship for a certificate:

1. In Outlook 2007, select the signed message. If the Reading Pane displays an error message, or if you aren’t using the Reading Pane, open the message and click the Secure Message button to view the Message Security Properties dialog box (see Figure 24–18). Otherwise, click the Secure Message button in the Reading Pane.

   
   Figure 24–18: Use the Message Security Properties dialog box to view status and properties of the certificate.

2. Click Details, and in the Message Security Properties dialog box, click the Signer line, and then click Edit Trust to display the Trust tab of the View Certificate dialog box, as shown in Figure 24–19.

   
   Figure 24–19: Use the Trust tab to configure the trust relationship for the certificate.

3. Select one of the following options:

   • Inherit Trust From Issuer Select this option to inherit the trust relationship from the issuing CA. For detailed information, see the following section, “Configuring CA Trust.”

   • Explicitly Trust This Certificate Select this option to explicitly trust the certificate associated with the message if you are certain of the authenticity of the message and the validity of the sender’s certificate.

   • Explicitly Don’t Trust This Certificate Select this option to explicitly distrust the certificate associated with the message. Any other messages that you receive with the same certificate will generate an error message in Outlook 2007 when you attempt to view them.

4. Click OK, click Close to close the Message Security Properties dialog box, and click Close again to close the Digital Signature dialog box.

   For information on viewing a certificate’s other properties and configuring Outlook 2007 to validate certificates, see “Viewing and Validating a Digital Signature” on page 711.

Configuring CA Trust

Although you might not realize it, your computer system by default includes certificates from several public CAs (typically VeriSign, Thawte, Equifax, GTE, or several others), which were installed when you installed your operating system. By default, Outlook 2007 and other applications trust certificates issued by those CAs without requiring you to obtain and install each CA’s certificate.

The easiest way to view these certificates is through Internet Explorer:

1. In Internet Explorer, choose Tools, Internet Options and click the Content tab.

2. Click Certificates to open the Certificates dialog box (see Figure 24–20). Click the Trusted Root Certification Authorities tab, which contains a list of the certificates.

   
   Figure 24–20: You can view a list of certificates in Internet Explorer’s Certificates dialog box.

If you have a personal certificate issued by a specific CA, the issuer’s certificate is installed on your computer. Messages you receive that are signed with certificates issued by the same CA inherit trust from the issuer without requiring the installation of any additional certificates. If you’re working in a large enterprise with several CAs, however, you’ll probably receive signed messages containing certificates issued by CAs other than the one that issued your certificate. Thus you might not have the issuing CAs certificate on your system, which prevents Outlook 2007 from trusting the certificate. In this case, you need to add that CAs certificate to your system.

If you need to connect to a Windows-based enterprise CA to obtain the CA’s certificate and install it on your system, perform the following steps.

1. Point your Web browser to http://<machine>/certsrv, where <machine> is the name or IP address of the CA.

2. After the page loads, select Download A CA Certificate, Certificate Chain, Or CRL.

3. Select Download CA Certificate, and then choose to Open (at this point you could also Save it to your computer if you want to save the certificate file for later use).

4. Click Install Certificate to install the CAs certificate on your system. This will launch the Certificate Import Wizard. Click Next.

5. In the Certificate Store dialog box, select Automatically Select The Certificate Store Based Upon The Type Of Certificate. Click Next and then click Finish to add the CA certificate. You will be notified that the import was successful and will have to click OK twice to close the dialog boxes.

The procedure just outlined assumes that the CA administrator has not customized the certificate request pages for the CA. If the pages have been customized, the actual process you must follow could be slightly different from the one described here.

Configuring CA Trust for Multiple Computers

The process described in the preceding section is useful when configuring CA trust for a small number of computers, but it can be impractical with a large number of computers. In these situations, you can turn to group policy to configure CA trust in a wider area such as an organizational unit (OU), a domain, or an entire site.

You can create a certificate trust list (CTL), which is a signed list of root CA certificates that are considered trusted, and deploy that CTL through Group Policy. This solution requires that you be running the Active Directory directory service with Windows XP, and/or Windows Vista clients as domain members.

Follow these steps to create and deploy the CTL:

1. Log on to a domain controller and open the Active Directory Users And Computers console.

2. Create a new Group Policy Object (GPO) or edit an existing GPO at the necessary container in Active Directory, such as an OU.

3. In the Group Policy Editor, expand the branch User Configuration\Windows Settings\Security Settings\Public Key Policies\Enterprise Trust.

4. Right-click Enterprise Trust and choose New, Certificate Trust List to start the Certificate Trust List Wizard.

5. Click Next, and then specify a name and valid duration for the CTL (both optional), as shown in Figure 24–21. Select one or more purposes for the CTL in the Designate Purposes list (in this example, choose Secure Email), and then click Next.

   
   Figure 24–21: Select a purpose for the CTL and other properties, such as a friendly name for easy identification.

6. On the Certificates In The CTL page (see Figure 24–22), click Add From Store to add certificates to the list from the server’s certificate store. Choose one or more certificates and click OK.

   
   Figure 24–22: Add certificates to the CTL.

7. If the certificates are stored in an X.509 file, Microsoft Serialized Certificate Store, or PKCS #7 certificate file, click Add From File, select the file, and click Open.

8. Back on the Certificates In The CTL page, click Next. On the Signature Certificate page, select a certificate to sign the CTL. The certificate must be stored in the local computer certificate store instead of the user certificate store. Click Next after you select the certificate.

9. You can optionally choose the Add A Timestamp To The Data option and specify a timestamp service URL if one is available. Otherwise, click Next.

10. Optionally, enter a friendly name and description for the CTL to help identify it, click Next, and click Finish.

Viewing and Validating a Digital Signature

You can view the certificate associated with a signed message to obtain information about the issuer, the person to whom the certificate is issued, and other matters.

To do so, follow these steps:

1. Open the message and click the Signature button in either the Reading Pane or the message form; then click Details to display the Message Security Properties dialog box, which provides information about the certificate’s validity in the Description box.

2. Click Signer in the list to view additional signature information in the Description box, such as when the message was signed (see Figure 24–23).

   
   Figure 24–23: The Description box offers information about the validity of the certificate.

3. Click View Details to open the Signature dialog box, shown in Figure 24–24, which displays even more detail about the signature.

   
   Figure 24–24: Use the Signature dialog box to view additional properties of the signature and to access the certificate.

4. On the General tab of the Signature dialog box, click View Certificate to display information about the certificate, including issuer, certification path, and trust mode.

5. Click OK, click Close to close the Message Security Properties dialog box, and click Close again to close the Digital Signature dialog box.

The CA uses a certificate revocation list (CRL) to indicate the validity of certificates. If you don’t have a current CRL on your system, Outlook 2007 can treat the certificate as trusted, but can’t validate the certificate and will indicate this when you view the signature.

You can locate the path to the CRL by examining the certificate’s properties as follows:

1. Click the Signature button for the message, either in the Reading Pane or in the message form, and then click Details..

2. In the Message Security Properties dialog box, click Signer and then click View Details.

3. On the General tab of the Signature dialog box, click View Certificate and then click the Details tab (see Figure 24–25).

   
   Figure 24–25: Use the Details tab to view the CRL path for the certificate.

4. Scroll through the list to find and select CRL Distribution Points.

5. Scroll through the list in the lower half of the dialog box to locate the URL for the CRL.

When you know the URL for the CRL, you can point your browser to the site to download and install the CRL. If a CA in your enterprise issued the certificate, you can obtain the CRL from the CA.

To obtain and install the CRL, follow these steps:

1. Point your browser to http://<machine>/certsrv, where <machine> is the name or IP address of the server.

2. Select the Retrieve The CA Certificate Or Certificate Revocation List option and click Next.

3. Click Download Latest Certificate Revocation List and save the file to disk.

4. After downloading the file, locate and right-click the file, and then choose Install CRL to install the current list.