You are the messaging engineer for your company. Your network includes an Active Directory domain, Microsoft Windows Rights Management Services, and an Enterprise Certificate Authority server. All mailboxes are located on a single Exchange Server 2007 server. All clients use Microsoft Office Outlook 2007. You need to recommend security changes so that e-mail messages that are sent to recipients outside of the company can be signed using S/MIME digital signatures. What should you recommend?
A.
Issue x.509 certificates to all users.
B.
Issue x.509 certificates to all client computers.
C.
Install the Windows Rights Management client on all client computers.
D.
Create a transport rule that appends a disclaimer to all outbound messages and creates a message header called X- Smime for all outbound messages.
Explanation:
S/MIME functionality enables users to send signed and/or encrypted email to one another from a variety of devices, including Outlook, OWA, and Mobile 6.0 using ActiveSync.S/MIME is a standard for PKI encryption and email signing, encapsulated in MIME. Its built into and interoperates with the majority of modern mail programs and provides the following cryptographic security services: authentication, message integrity, non-repudiation of origin (using digital signatures) and privacy and data security (using encryption).
Before an application can use S/MIME, an individual key/certificate from either an internal or public CA must be installed. Best practice is to use separate private keys (and associated certs) for signature and encryption, since this permits escrow of the encryption key without compromise to the non-repudiation property of the signature key.
Encryption requires having on store the cert of the destination party. Typically, this is automatic upon receiving an email from this person with a valid signing cert.
A basic personal cert binds the owner to a particular email address, but doesnt verify his name or business. The latter, if needed (e.g., for contract signing), can be obtained from CAs offering digital notary service.
Depending on the policy of the CA, your cert and all its contents may be publicly posted for reference and verification. This exposes your name and email address to public scrutiny and search. Some CAs post only serial numbers and revocation status, without personal information. The latter, at a minimum, is mandatory to uphold the integrity of the PKI.
http://www.wilsonmar.com/1certs.htm
http://en.wikipedia.org/wiki/S/MIME
Windows Rights Management is data protection technology, working with RMS-enabled apps to safeguard digital information from unauthorized exploitation.
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx