Everything I read says in order to send an encrypted email all you need to have is the recipients Public Key, aka certificate... baloney! So here I am in Microsoft LookOut 2003 and I am trying to send an encrypted email from UserA to UserB. 1. First it's kinda silly I know but UserB needs to send a signed email message to UserA in order to provide userA with his (UserB's) certificate which holds the Public Key. (Although UserB's certificate is stored in Active Directory, go figure.) 2. UserA now needs to add UserB into his contacts. 3. Now UserA should be able to send an encrypted message to UserB but nope instead UserB is treated to this error: Microsoft Office Outlook could not sign or encrypt this message because you have no certificates which can be used to send from the e-mail address UserA@wonderland.org. You can do either of the following: Get a new digital ID to use with this account. On the Tools menu, click Options, click the Security tab, and then click Get a Digital ID. Use the Accounts button to send the message using an account that you have certificates for. Similar thing happens in Outlook Express. So could someone justify the need for my own certificate in order to send you an email if I happen to have your certificate?

The email you're sending is encrypted with your encryption certificate in your Sent Items folder.Paul Adare CTO IdentIT Inc. ILM MVP

well this makes it that much more interesting, since I don't keep/save my sent items, my Outlook client is configured not to do soand why is the email I am sending encrypted in my sent items folder? I trust the email in my inbox to be protected by my network username and password and Exchanges proprietary RPC encryption between Client and Server

Because that was the design decision made by those who designed and developed Outlook and Outlook Express.And no, there's no way to turn this off.Paul Adare CTO IdentIT Inc. ILM MVP

LOL, oh yes a "Feature" then

Actually, it is per the RFC for email encryptionGo back in the way back machine to 1993 (17 years ago!!!) and read RFC 1421 : http://www.faqs.org/rfcs/rfc1421.htmlBRian

The purpose of SMIME is two-fold: data privacy and proof of origin. What you are suggesting in your original post provides data privacy, but if you were allowed to use any old certificate to sign/encrypt an E-mail, there's no viable way for me verify that the message is really from you (unless you gave me your certificate on a USB fob in-person).

Another email encryption option is Voltage SecureMail. Voltage SecureMail can easily send encrypted email to anyone. Microsoft uses Voltage SecureMail and Identity Based Encryption (IBE) in the Hosted Exchange Service. Voltage SecureMail also has Outlook plug-ins or you can use a web interface for sending encrypted email. Messages are completely controlled by the sender and recipient in their sent folder and inbox. No messages are stored on servers. Recipients don't need any special software to decrypt and read their messages, just a browser. And recipients don't need to pay to read their email. In fact, they even get free support from Voltage. It's much easier to use than PGP, S/MIME or other older solutions...and just as secure...which is probably why they can afford to offer free support to their customers and recipients...unlike those other solutions. It's an ideal solution to help address state privacy regulations in Massachusetts and Nevada as well as the more general HIPAA, SOX, PCI requirements, etc. There is a free trial at: www.voltage.com/vsn

SPAM