Miha
Fri Sep 17 09:34:35 CDT 2004
Hi,
With PKI you have a pair of keys asymmetric keys. One is public and the
other is private. First one as "name" tells you, you can publish on your
website, or send in an e-mail or give out in any way you like. This key will
be used to send _you_ an encrypted e-mail that no one else will be able to
read.
To open an e-mail that was encrypted with _your_ public key, you will need
_your_ other key -- private key. Now this key you have to protect with your
life. This is the key that only you have access to. So the first task of
this key has is to decrypt an encrypted e-mail. The second task is to
digitally sign an e-mail -- so that I know that this e-mail really came from
you. To verify the signature I will use _your_ public key.
When you digitally sign an e-mail I know that it came from you. Other thing
I can be sure of is that the e-mail was not edited (changed) on the way from
your computer to mine. E.g. if someone change the message from you to me
from "NO, do not buy 10.000.000 of xyz company shares" to "YES, buy
10.000.000 of xyz company shares" the digital signature would be invalid and
I would know that someone changed it. Now it is up to me to call you and
make sure what is going on. Still e-mails that are only digitally signed can
be read by anyone.
Now if you want to send _me_ an encrypted e-mail, you will have to use _my_
public key. I will then use _my_ private key to open it. The only person who
can read the e-mail is recipient (assuming that he was a good key keeper and
no one else has his private key).
Inside the company if you e.g. use Active Directory and e.g. Microsoft
certificate authority server, public keys are published there and Outlook
can easily find it auditing LDAP query. If you want to send an encrypted
e-mail to person e.g. outside your company, you can simply send unprotected
e-mail to the person asking him/her to send you his/hers public key. You
could digitally sign this e-mail...
To send an encrypted e-mail all you need is recipient public key. You don't
need any certificate on your side. Still, you might want to digitally sign
the e-mail so that recipient knows for sure that the e-mail came from you.
I hope this explains it. Feel free to post back if you have any additional
questions.
Mike
"digital" <anonymous@discussion.microsoft.com> wrote in message
news:enOk09LnEHA.3352@TK2MSFTNGP15.phx.gbl...
> I am confused a little: So there is difference between encyption for
sending
> email and digitally signature for sending email?
> I just want to ensure the recipient of emails is the only one who can read
> the emails.
> How can I know whether an email address has a public key (digital
> certificate) for the encryption of an email?
> Additionally if I just want to send an encrypted email, my digital
> certificate for my email address is useless? My digital certificate is
only
> used to decrypt the encrypted email sent to me?
> "Miha Pihler" <mihap-news@atlantis.si>
дÈëÏûÏ¢ÐÂÎÅ:%23oyhkZLnEHA.3464@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > I assume you are talking about S/MIME?
> >
> > If you encrypt an e-mail you had to use recipient's public key for this
> > operation. Once recipient receives the e-mail he/she should be able to
> > open
> > the e-mail and read as long as recipient has appropriate private key to
> > decrypt the e-mail. If private key is not on this computer or is note
> > accessible recipient won't be able to open the e-mail.
> >
> > If you digitally sign your e-mail you had to use your private key for
this
> > operation. Recipient can verify your digital signature if he/she has
your
> > public key. If recipient doesn't have your public key, e-mail client
will
> > notify recipient that digital signature could not be verified. Still
> > he/she
> > should still be able to read the e-mail.
> >
> > Mike
> >
> > "digital" <anonymous@discussions.microsoft.com> wrote in message
> > news:22e701c49cb4$210e5410$a401280a@phx.gbl...
> >> When I send a digital-signed encrypted email to an email
> >> address without digital signature, What will happen? Will
> >> the email lost? or the contents of the email will not be
> >> showed though the email can be sent?
> >
> >
>
>