Deciphering PKI

I just read Russell Smith’s excellent article, “Deciphering PKI” (May 2011, InstantDoc ID 129847). I have one question about it. When does a client get a private key, which is used to encrypt the message digest, decrypt messages, and sign messages?

—Robert Mikołajczyk

Thanks for your message. I’m glad that you found the article useful. If I understand correctly, you want to know when a client receives a certificate to work with secure messaging in a program such as Microsoft Outlook. Users must either request or be assigned a certificate for use with secure messaging. This is usually done through an internal PKI. The user’s email client then has to be configured to use the certificate for secure messaging. You can find more information about the infrastructure required to support secure messaging in Outlook 2010 in the Microsoft article “Plan for e-mail messaging cryptography in Outlook 2010” (technet.microsoft.com/en-us/library/cc179061.aspx).

—Russell Smith

 

Exchange Autodiscovery Questions

I have a few questions regarding John Savill’s FAQ, “How can I quickly verify that my Exchange autodiscovery is working?” (June 23, 2011, InstantDoc ID 139558):

  1. In John’s examples, he shows both http:// and https://. I’m assuming he means just https:// and no http://. Correct?
  2. If you create an “A” record for the autodiscovery, do you also have to have an SSL for it? That’s assuming we don’t have a wildcard SSL installed (which most of our clients do not). Or does the device know to ignore an SSL error and proceed?
  3. What about internally? I have a few clients who can’t open Outlook and have it automatically discover its settings (in a domain). Can/should we add an “A” pointer in the internal DNS for autodiscovery, and will that fix that problem? (We can manually put in the settings for Outlook and it works fine, just not autodiscovery internally in the domain.)

—Shawn Lemay

Good questions, Shawn.

  1. Yes, it is always https. Sorry about the typo.
  2. Yes, you would typically need a certificate for the autodiscovery unless you have a wildcard normally. This scenario is explained in detail at technet.microsoft.com/en-us/library/bb310762.aspx. There is a way to just use one as described at technet.microsoft.com/en-us/library/bb310764.aspx. However, certificates are typically cheap these days, so purchasing an additional one for autodiscovery is fine for most clients. The more services an organization has on the web, the more attractive a wildcard certificate gets. They cost only a few hundred dollars, and most Microsoft services work with a wildcard certificate today.
  3. es, you would have an autodiscovery on the internal DNS domain, and a separate autodiscovery for the Internet-based clients.

I hope these answers help.

—John Savill

 

The Weak Link in IT Security

Jeff James has an excellent message in his article, “Are Users the Weak Link in IT Security?” (June 22, 2011, InstantDoc ID 139572). This is something we’ll need to address in the near term with my employer. Please revisit this topic in future articles!

—Peet Rapp