Understanding the Exchange - PKI Combination

Understanding the Exchange–PKI Combination

Digital certificates (sometimes called digital IDs) are the most basic and prolific item in any PKI environment. These certificates and their associated private keys ultimately provide one of three functions: encryption, authentication, or nonrepudiation. In Exchange, these functions translate to very specific tasks.

With respect to authentication, a message that has been digitally “signed” with a certificate validates that the sender is authentic. We then trust the validity of the message because of the trust relationship we have with the organization that issued the certificate. In other words, you know John Rodman, and he knows Arlene Huff. You trust that Arlene Huff is who she says she is because John Rodman vouches for her. It helps that John is also a rather paranoid fellow who verifies people’s identity when he meets them; this makes him unpopular at parties, but makes it easier for you to trust him.

Of course, you can’t always depend on the John Rodmans of the world; to take their place, we use a CA to vouch for people, services, or servers. In addition to issuing certificates, the CA has some other responsibilities, including establishing and maintaining relationships with other CAs and revoking certificates it has issued when an administrator requests it. Microsoft Windows 2000 Server and Microsoft Windows Server 2003 include robust CA tools that can be used alone or in combination with third-party CA services. However, they issue and revoke certificates; the Exchange 2000 KMS ties those certificates to specific e-mail-related functions and allows you to set policies that affect how e-mail authentication and encryption certificates can be issued and used.