- [ Team LiB ]
Using Digital Signatures
When email is signed with a digital signature, it provides a level of proof that the person
using the email address sent the message. More importantly, it also ensures that no one
tampered with the message.
A digital signature is a digital code that can be attached to an email
message to uniquely identify the sender. Like a written signature, the
purpose of a digital signature is to guarantee that the individual
sending the message really is who he claims to be. To be effective,
we need to be assured that a digital signature is not forged, and there
are a number of different encryption techniques that guarantee this
level of security.
Encryption is a more secure form of a digital signature, and encodes
the message so that only someone with the sender's secret key or
password can read the message. Encrypted data is also referred to as
Every digital signature has two levels of signing: a simple digital signature that identifies
messages that have been tampered with, and an encrypted signature that encodes the
message and attachments so that only the person the message is sent to can read it.
Before you can digitally sign your email, you must obtain a digital certificate. Although
many corporations provide digital certificates to their employees, anyone can get one free
or at a low cost from several Internet sites. Most certificates are issued for one year and
must be renewed or reissued when they expire.
If you use Outlook at work, your employer might issue a digital certificate for you to use.
The certificate is valid only when you send email using the address that's included in the
certificate. If you use several email addresses, you'll need a certificate for each address
you want to use to send digitally signed messages.
Don't routinely sign all of your messages, especially on personal
messages or those sent to mailing lists. Not all email clients can read
signed messages. Reserve the use of digital signatures for important
- Task: Set Up a Digital Signature
Before you can use a digital signature, it must be installed and set up in Outlook.
1. Open the Tools, Options, Security dialog.
2. If you already have a current digital certificate, use Import/Export to install your
3. If you need a digital signature, choose Get a Digital ID. This opens your Internet
browser to a list of digital ID providers who partner with Microsoft. The steps
necessary to get your digital ID vary with each service, but most will install the
certificate for you at the end of the process.
4. Once your digital ID is installed, select the Settings button in the Encryption
section of the Security tab.
5. Type a name for your security settings in the Security Setting Name field (see
Figure 8.6). Select the Choose button to select the certificate to use. You should
leave the other settings at their default. Click OK when you're done.
Figure 8.6. Configure the setting for your digital signature on the Change
Security Settings dialog.
- Don't change the default security settings when you install certificates.
Using the wrong setting prevents others from reading your messages.
If you have more than one certificate or need to configure alternative
security settings, choose the New button and type a new name in the
Your digital signature is ready to use.
Task: Send Signed and Encrypted Messages
After you've obtained a digital certificate, signing a message is as easy as pressing a
toolbar button to enable signing and or encryption.
Figure 8.7. The Digitally Sign and Encrypt Message buttons are automatically
added to the toolbar when you install a digital certificate.
Before you can send encrypted messages, you must have the recipient's digital certificate
associated with his contact record. If the person hasn't sent you signed email yet, ask her
to send you a digitally signed message. Right-click on the sender's display name and
choose Add to Outlook Contacts to add the digital certificate to her contact record.
Confirm that the digital signature was added to the contact by looking on the contact's
Certificates tab (see Figure 8.8).
Figure 8.8. Your contact's digital IDs are listed on the Certificates tab of her contact
- When the recipient's certificate isn't associated with her contact record, Outlook won't
allow you to send encrypted messages. Instead, you'll receive a message like the one
shown in Figure 8.9. You can still send a digitally signed message.
Figure 8.9. You need to have the recipient's digital ID associated with her contact
before you can send her encrypted messages.
When someone sends you a signed message, you'll see a red ribbon on the envelope icon
and a larger red ribbon icon on the right side of the header area on a message form, as
shown in Figure 8.10. Select a button to display information about the certificate used to
sign or encrypt the message. A signed and encrypted message won't display in the
Reading Pane; you have to open the message to read it.
- Figure 8.10. Signed messages have a red ribbon button and encrypted messages
include a blue padlock button.
When there's a problem with the digital ID, the message header includes a warning
message that the signature has a problem, as shown in Figure 8.11. Many times the
problem is caused by an expired digital ID, or the company issuing the certificate is not
in your trusted Certificate Authority (CA) list. This often happens when the sender's
employer issues its own certificates. In almost all cases, it's safe to trust the certificate if
you know and trust the sender.
Figure 8.11. Outlook warns you when there's a problem with the digital certificate.
Most of the time, it's either expired or the issuing authority isn't on your trusted list.
You'll also see this warning if the message contents were changed after the message
Click on the signature button to the right of the warning message and a dialog opens that
contains information explaining why Outlook is unable to trust the certificate.
Choose the Details button to view more information about the sender's certificate or
choose the Trust button to immediately trust the certificate.
From the Message Security Properties dialog, view additional information about the
certificate and click the Edit Trust button to change how Outlook trusts the certificate.
This opens the View Certificate dialog shown in Figure 8.12. You can choose from three
- • Inherit Trust from Issuer— This is the default setting and trusts certificates
installed on your computer. You can open the Certificates dialog and view trusted
Certificate Authorities (CAs) by choosing Internet Explorer's Tools, Internet
Options, Content, Certificates menu option.
• Explicitly Trust This Certificate— Choose this option to trust certificates used by
people you trust when their certificates aren't initially trusted by Outlook.
• Explicitly Don't Trust This Certificate— Use this option when you don't want to
trust the sender.
Figure 8.12. Use the View Certificate dialog to learn more about the certificate. Only
when you trust the sender should you select Explicitly Trust This Certificate.
After you trust the certificate, the message header looks like a normal signed message.
Selecting the Digital Signature or Encrypted Message button on the message opens a
dialog like the one shown in Figure 8.13.
Figure 8.13. The Digital Signature: Valid dialog. Click the Details button to learn
more about the certificate.
- A digital signature isn't absolute proof that the person is who he says
he is. Anyone can make up a name and get a digital signature.
However, if it's someone you know and trust, a digitally signed
email is proof enough that the person you know really did send the
message and whether it was tampered with.
You should use a clear text signature for most signed messages you send, especially if
you aren't sure what email client the recipient uses or when you know she uses an older
client that doesn't support S/MIME messages.
S/MIME, short for Secure/MIME, is a version of the MIME protocol
that supports encryption of messages. It works with many newer
email programs and is used for digitally signing messages.
Fortunately, you don't have to understand it to use it; you only need
to know that it's the type of digital signature Outlook uses.
To enable clear text for all signed messages, choose Tools, Options, Security and add a
check to the box to Send Clear Text Signed Message When Sending Signed Messages.
This allows recipients whose email clients don't support S/MIME signatures to read the
message without verifying the digital signature.
You can change the settings on a per-message basis from the Options dialog when you
compose a message. Open the Options dialog using the Options button on the toolbar and
then click the Security Settings button.
The Security Properties dialog, shown in Figure 8.14, includes options to
• Encrypt Message Contents and Attachments— This is checked when you select
the Encrypt Message toolbar button.
- • Add Digital Signature to This Message— This is checked when you select the
Digitally Sign toolbar button.
• Send This Message as Clear Text Signed— Selecting this ensures that the message
can be read using any email client.
• Request S/MIME Receipt for This Message— This is a digitally signed read
receipt. After the recipient who has a digital ID opens the message, you'll get back
a receipt that is signed with the recipient's digital ID.
Figure 8.14. Use the Security Properties dialog to enable or disable clear text signed
messages, request signed read receipts, and to select a different security setting.
The Security Setting selection contains the digital signature configurations you created,
as shown earlier in Figure 8.6. By default, it contains Automatic, Default, along with the
security settings you created and named.
The Security Label section is for corporate users only. When your administrator has
policy modules set up, you can select them from the list and add a sensitivity label, such
as Internal Use Only, to the message header.
[ Team LiB ]