Design and Deployment Considerations
That's the easy, front-end part of an S/MIME-based mail security solution. Behind the scenes, you have a lot of thinking to do when you design and deploy an effective mechanism for handling certificates. Ask yourself the following questions to get started.
Can my current mail clients support sufficient S/MIME services? If your current mail clients don't support the full S/MIME feature set that users need (see Table 1 for an overview of the different S/MIME feature sets), you might need to upgrade your mail client software.
If your current mail client doesn't support S/MIME at all, remember that even though users can't create S/MIME-protected messages or read encrypted or opaque signed messages, they can always read clear signed messages. If you use Exchange Server 2003 messaging servers, you can enable S/MIME for users through OWA.
Should I use an internal or commercial CA? S/MIME builds on X.509-formatted digital certificates generated by CAs. To provide S/MIME certificates to your users, you can leverage internal CAs or you can buy certificates from a commercial CA (such as VeriSign at http://www.verisign.com or thawte at http://www.thawte.com). Internal CAs give your organization complete control over the operation of your certificate "engines" and allow you to provide important services such as key archiving and recovery. Because internal CAs require design, deployment, and maintenance of the PKI, they can be costly. For small organizations and organizations that need certificates for a limited set of users or applications, I recommend buying S/MIME certificates from a commercial CA. They are an easy and cheaper option. . . .
Register
