Digital ID without email address

Hi!

Sorry aboy cross posting, but I just saw this group so...

If I want to use Digital ID which does not contain email address to sign
emails how can I do that in Outlook 2003.

I know it should be possible, but what I should do excatly?

Cheers,
Mikko

Laudon
Fri Oct 17 09:19:16 CDT 2003

You cannot. The S/MIME standard dictates that the email address used must
match the email address in the certificate. If not, anyone receiving the
message will show it as an invalid message.

--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:usmJqOLlDHA.2416@TK2MSFTNGP10.phx.gbl...
> Hi!
>
> Sorry aboy cross posting, but I just saw this group so...
>
> If I want to use Digital ID which does not contain email address to sign
> emails how can I do that in Outlook 2003.
>
> I know it should be possible, but what I should do excatly?
>
> Cheers,
> Mikko
>
>

Keith
Fri Oct 17 09:30:33 CDT 2003

No can do.

"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:usmJqOLlDHA.2416@TK2MSFTNGP10.phx.gbl...
> Hi!
>
> Sorry aboy cross posting, but I just saw this group so...
>
> If I want to use Digital ID which does not contain email address to sign
> emails how can I do that in Outlook 2003.
>
> I know it should be possible, but what I should do excatly?
>
> Cheers,
> Mikko
>
>

Vanguard
Fri Oct 17 21:47:43 CDT 2003

So, you're trying to lie to the recipient that the digital signature is
for the e-mail address you use when sending the e-mail but the security
certificate is really for someone *else's* e-mail address? You don't
get to use a single e-mail certificate for every e-mail account you
might have. You get an e-mail certificate for EACH e-mail address you
have for which you want to use digital signing and/or encryption. You
WILL identify yourself by your e-mail address in the security
certificate. Else, don't use them if your intent is to lie about who
you are and where to reach you.

--
____________________________________________________________
*** Post replies to newsgroup. E-mail is not accepted. ***
____________________________________________________________


"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:usmJqOLlDHA.2416@TK2MSFTNGP10.phx.gbl...
> Hi!
>
> Sorry aboy cross posting, but I just saw this group so...
>
> If I want to use Digital ID which does not contain email address to
sign
> emails how can I do that in Outlook 2003.
>
> I know it should be possible, but what I should do excatly?
>
> Cheers,
> Mikko
>
>

David
Sat Oct 18 00:02:27 CDT 2003


"Vanguard" <no-email@post-reply-in-newsgroup.nix> wrote in message
news:jR1kb.163451$%h1.159193@sccrnsc02...
> So, you're trying to lie to the recipient that the digital signature is
> for the e-mail address you use when sending the e-mail but the security
> certificate is really for someone *else's* e-mail address? You don't
> get to use a single e-mail certificate for every e-mail account you
> might have. You get an e-mail certificate for EACH e-mail address you
> have for which you want to use digital signing and/or encryption. You
> WILL identify yourself by your e-mail address in the security
> certificate. Else, don't use them if your intent is to lie about who
> you are and where to reach you.

Not quite right - you can get certificates that list more than one email.
They don't always work properly, however. Obviously, the address you use
MUST be listed in the certificate.

Generally, though - it's better to use individual certificates.

David

Mikko
Mon Oct 20 03:25:30 CDT 2003

"Laudon Williams [MSFT]" <laudonw@online.microsoft.com> wrote in message
news:uCnonmLlDHA.1408@TK2MSFTNGP11.phx.gbl...
> You cannot. The S/MIME standard dictates that the email address used must
> match the email address in the certificate. If not, anyone receiving the
> message will show it as an invalid message.

Are you sure because because I have heard that S/MIME v3 specification would
allow to use certificates which doesn't contains email address.

Thing here is that local national identity card (Finnish) doesn't contains
email address in certificate.
MS KB article tells something about editing registry and adding
SupressNameChecks key to it, but it doesn't seem to work. My Outlook allways
says to me that email address is missing.

Cheers,
Mikko Paavola

Laudon
Mon Oct 20 11:35:11 CDT 2003

To clarify, if there is one or more email addresses in the certificate, it
must match the sender/from address. You are correct that you can leave the
email address completely out of the certificate, however, the rfc (rfc2632)
is not very broadly implemented right now. Not on the outlook team so I
can't comment on its behavior :-)


--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:uZ$wEQulDHA.2512@TK2MSFTNGP09.phx.gbl...
> "Laudon Williams [MSFT]" <laudonw@online.microsoft.com> wrote in message
> news:uCnonmLlDHA.1408@TK2MSFTNGP11.phx.gbl...
> > You cannot. The S/MIME standard dictates that the email address used
must
> > match the email address in the certificate. If not, anyone receiving the
> > message will show it as an invalid message.
>
> Are you sure because because I have heard that S/MIME v3 specification
would
> allow to use certificates which doesn't contains email address.
>
> Thing here is that local national identity card (Finnish) doesn't contains
> email address in certificate.
> MS KB article tells something about editing registry and adding
> SupressNameChecks key to it, but it doesn't seem to work. My Outlook
allways
> says to me that email address is missing.
>
> Cheers,
> Mikko Paavola
>
>

Mikko
Wed Oct 22 04:19:36 CDT 2003

"Keith W. McCammon" <km@km.com> wrote in message
news:eSRl2qLlDHA.988@TK2MSFTNGP10.phx.gbl...
> No can do.

I can!

MS EMEA Global Technical Support Centre told that:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Outlook\Security

DWORD SupressNameChecks = 1


will do the job and it did.


Cheers,
Mikko

S
Wed Oct 22 07:12:25 CDT 2003

That or similar change needs to be done on all recipients, too. If that
happens, we'll witness digitally signed spam :)

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:#$Yfq3HmDHA.1004@TK2MSFTNGP09.phx.gbl...
> "Keith W. McCammon" <km@km.com> wrote in message
> news:eSRl2qLlDHA.988@TK2MSFTNGP10.phx.gbl...
> > No can do.
>
> I can!
>
> MS EMEA Global Technical Support Centre told that:
>
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Outlook\Security
>
> DWORD SupressNameChecks = 1
>
>
> will do the job and it did.
>
>
> Cheers,
> Mikko
>
>

Mikko
Thu Oct 23 00:02:22 CDT 2003

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:eMDfQYJmDHA.2536@tk2msftngp13.phx.gbl...
> That or similar change needs to be done on all recipients, too. If that
> happens, we'll witness digitally signed spam :)

I sended test message for few friends and it worked just okay.
I sended also message to myself to another account and read message with OE.
It just said that everything seems to be just okay, but email address
doesn't match sertificate.

But what you mean by writing that change must be done to recipients too?

Cheers,
Mikko

S
Thu Oct 23 04:47:18 CDT 2003

If you send messages from argonaut@jippii.fi and use certificate with
subject say mikko@jippii.fi, the recipients will see warning that
certificate CN doesn't match. This check probably can be disabled but it's
not a good idea.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:eAjYnMSmDHA.1072@TK2MSFTNGP09.phx.gbl...
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:eMDfQYJmDHA.2536@tk2msftngp13.phx.gbl...
> > That or similar change needs to be done on all recipients, too. If that
> > happens, we'll witness digitally signed spam :)
>
> I sended test message for few friends and it worked just okay.
> I sended also message to myself to another account and read message with
OE.
> It just said that everything seems to be just okay, but email address
> doesn't match sertificate.
>
> But what you mean by writing that change must be done to recipients too?
>
> Cheers,
> Mikko
>
>
>

Mikko
Fri Oct 24 00:49:22 CDT 2003

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:%23xFw2rUmDHA.2080@TK2MSFTNGP10.phx.gbl...
> If you send messages from argonaut@jippii.fi and use certificate with
> subject say mikko@jippii.fi, the recipients will see warning that
> certificate CN doesn't match. This check probably can be disabled but it's
> not a good idea.

Oh... Now I understand what you ment.
Changing that behaviour wouldn't be wise, I agree.

I am quit happy with these results even receiver might get warnings about
unmatching email addresses (Seems to get those even the certificate doesn't
contain email address at all). At least OE does that, but it also states
that mail is not tampered and id is trusted and if person looks the
certificate he/she sees that it comes from trusted source.

Cheers,
Mikko

S
Fri Oct 24 03:51:04 CDT 2003

Fair enough :)

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Mikko Paavola" <argonaut@jippii.fi> wrote in message
news:uB8XiLfmDHA.2364@TK2MSFTNGP11.phx.gbl...
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:%23xFw2rUmDHA.2080@TK2MSFTNGP10.phx.gbl...
> > If you send messages from argonaut@jippii.fi and use certificate with
> > subject say mikko@jippii.fi, the recipients will see warning that
> > certificate CN doesn't match. This check probably can be disabled but
it's
> > not a good idea.
>
> Oh... Now I understand what you ment.
> Changing that behaviour wouldn't be wise, I agree.
>
> I am quit happy with these results even receiver might get warnings about
> unmatching email addresses (Seems to get those even the certificate
doesn't
> contain email address at all). At least OE does that, but it also states
> that mail is not tampered and id is trusted and if person looks the
> certificate he/she sees that it comes from trusted source.
>
> Cheers,
> Mikko
>
>