 |
|
|
 |
| Subject: Using Internet x.509 certs/SMIME for Encrypted Email |
 |
 |
 |
| Product Area: Notes 8 Client |
 |
| Technical Area: Functionality |
 |
| Platform: Windows XP client |
 |
| Release: All |
 |
| Reproducible: Not applicable |
 |
 |
 |
 |
Has anyone had any luck integrating Notes with third-party certificate authorities (e.g., Entrust)?
Although the general process "works", what I've found is that the process is very cumbersome--especially for end-users who know nothing about encryption, S/MIME, x.509 certs, etc. They just want to "click encrypt" and be done.
Of particular concern is that Notes requires that every user must manually add their private keys to their ID file--on a person-by-person basis. From a user's perspective, it is a very cumbersome process...one that increases exposure of the private keys AND one that offers many opportunites for the certs in the ID file to become out of sync. with the "official" ones managed outside of Notes (not to mention all the Help Desk calls from confused, broken, unhappy users...).
Sadly, Notes does not appear to have any support for using Microsoft's CAPI (Crypto. API) to retrieve keys. If that was supported, then it should streamline integration with 3rd party CAs that interface cleanly with CAPI (Entrust, for example says they support the Microsoft CAPI natively).
I'm interested in how others are managing email encryption and the related private keys for thousands of users.
In the mean time, I asked IBM to create an enhancement request to:
1) Have Notes create a function to load a user's private key directly using Microsoft's CAPI (eliminating the need to do a manual export using the 3rd party app followed by a manual import). This should be fairly easy...so I am hoping they can add this easily/quickly as an interim step.
2) Improve the functionality of Notes to use the Microsoft CAPI functions to DIRECTLY use the private keys via CAPI without requiring that they be imported into the ID file. This is likely to take some effort...which is why I suggested the interim step above.
The SPR for this enhancement request is TONN7THP7V.
Also, there is another SPR (RGAU7JJBZM) someone else created to request the automation of the import process.
Since it will take quite a while for any action on those, I am hoping there are others who have good solutions and can reply to this posting with some ideas (including any business partners who may have solutions).
Of course, anyone who's interested in seeing these improvements should open a PMR with IBM to be added to the interested parties list for these SPRs--that's what is really needed to spur IBM to take action.
While I'm hearing rapidly growing concerns about Personally Identifiable Information (PII) and other sensitive information and, thus, the desire to easily encrypt email messages--it seems that the vendors haven't gotten much pressure to improve the useability of their products in this area.
Although these capabilities have been around for years, they don't seem to be very polished. Somehow, I expect that is due to a lack of widespread use--something that I think is changing rapidly. Hopefully, the tide will change so this capability can be deployed much more easily.
 
Feedback number WEBB7TJNT8 created by ~Sarah Cistoomarader on 07/01/2009
Status: Open
Comments:
 Using Internet x.509 certs/SMIME fo... (~Sarah Cistooma... 1.Jul.09)
 . . Have you tried an MS-CAPI --> PKCS#... (~Tanita Desweve... 2.Jul.09)
. . . . re: Have you tried an MS-CAPI --> P... (~Sarah Cistooma... 2.Jul.09)
. . . . . . re: Have you tried an MS-CAPI --> ... (~Tanita Desweve... 6.Jul.09) |
| |
|
Return to top
Printer-friendly
