When email is signed with a digital signature, it provides a level of proof that the person using the email address sent the message. More importantly, it also ensures that no one tampered with the message.
Every digital signature has two levels of signing: a simple digital signature that identifies messages that have been tampered with, and an encrypted signature that encodes the message and attachments so that only the person the message is sent to can read it. Before you can digitally sign your email, you must obtain a digital certificate. Although many corporations provide digital certificates to their employees , anyone can get one free or at a low cost from several Internet sites. Most certificates are issued for one year and must be renewed or reissued when they expire. If you use Outlook at work, your employer might issue a digital certificate for you to use. The certificate is valid only when you send email using the address that's included in the certificate. If you use several email addresses, you'll need a certificate for each address you want to use to send digitally signed messages.
Task: Set Up a Digital SignatureBefore you can use a digital signature, it must be installed and set up in Outlook.
Your digital signature is ready to use. Task: Send Signed and Encrypted MessagesAfter you've obtained a digital certificate, signing a message is as easy as pressing a toolbar button to enable signing and or encryption. Figure 8.7. The Digitally Sign and Encrypt Message buttons are automatically added to the toolbar when you install a digital certificate.
Before you can send encrypted messages, you must have the recipient's digital certificate associated with his contact record. If the person hasn't sent you signed email yet, ask her to send you a digitally signed message. Right-click on the sender's display name and choose Add to Outlook Contacts to add the digital certificate to her contact record. Confirm that the digital signature was added to the contact by looking on the contact's Certificates tab (see Figure 8.8). Figure 8.8. Your contact's digital IDs are listed on the Certificates tab of her contact record.
When the recipient's certificate isn't associated with her contact record, Outlook won't allow you to send encrypted messages. Instead, you'll receive a message like the one shown in Figure 8.9. You can still send a digitally signed message. Figure 8.9. You need to have the recipient's digital ID associated with her contact before you can send her encrypted messages.
When someone sends you a signed message, you'll see a red ribbon on the envelope icon and a larger red ribbon icon on the right side of the header area on a message form, as shown in Figure 8.10. Select a button to display information about the certificate used to sign or encrypt the message. A signed and encrypted message won't display in the Reading Pane; you have to open the message to read it. Figure 8.10. Signed messages have a red ribbon button and encrypted messages include a blue padlock button.
When there's a problem with the digital ID, the message header includes a warning message that the signature has a problem, as shown in Figure 8.11. Many times the problem is caused by an expired digital ID, or the company issuing the certificate is not in your trusted Certificate Authority (CA) list. This often happens when the sender's employer issues its own certificates. In almost all cases, it's safe to trust the certificate if you know and trust the sender. Figure 8.11. Outlook warns you when there's a problem with the digital certificate. Most of the time, it's either expired or the issuing authority isn't on your trusted list. You'll also see this warning if the message contents were changed after the message was sent.
Click on the signature button to the right of the warning message and a dialog opens that contains information explaining why Outlook is unable to trust the certificate. Choose the D etails button to view more information about the sender's certificate or choose the T rust button to immediately trust the certificate. From the Message Security Properties dialog, view additional information about the certificate and click the E dit Trust button to change how Outlook trusts the certificate. This opens the View Certificate dialog shown in Figure 8.12. You can choose from three options:
Figure 8.12. Use the View Certificate dialog to learn more about the certificate. Only when you trust the sender should you select Explicitly Trust This Certificate.
After you trust the certificate, the message header looks like a normal signed message. Selecting the Digital Signature or Encrypted Message button on the message opens a dialog like the one shown in Figure 8.13. Figure 8.13. The Digital Signature: Valid dialog. Click the D etails button to learn more about the certificate.
You should use a clear text signature for most signed messages you send, especially if you aren't sure what email client the recipient uses or when you know she uses an older client that doesn't support S/MIME messages.
To enable clear text for all signed messages, choose Tools, Options, Security and add a check to the box to Send Clear Text Signed Message When Sending Signed Messages. This allows recipients whose email clients don't support S/MIME signatures to read the message without verifying the digital signature. You can change the settings on a per-message basis from the Options dialog when you compose a message. Open the Options dialog using the Options button on the toolbar and then click the Securi t y Settings button. The Security Properties dialog, shown in Figure 8.14, includes options to
Figure 8.14. Use the Security Properties dialog to enable or disable clear text signed messages, request signed read receipts, and to select a different security setting.
The Security Setting selection contains the digital signature configurations you created, as shown earlier in Figure 8.6. By default, it contains Automatic, Default, along with the security settings you created and named. The Security Label section is for corporate users only. When your administrator has policy modules set up, you can select them from the list and add a sensitivity label, such as Internal Use Only, to the message header. |