FAQ from Security Newsgroups

Q: I recently came across a security puzzle dealing with email signing certs in Outlook:

I just sent my buddy an email signed with my new email signing certificate. However when he opened it, he gets the error messages:

"The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid. The system cannot determine whether the certificate used to create this signature is trusted or not."

I told him that he needed to trusted the root CA which I promptly sent him, as an attachment in a separate email.

But the question remains: Why doesn't Outlook automatically (or give you the option) to send the certificate chain along with your email signing cert?

That way, recipients would be able to trust the issuer certificate if they so choose!

I investigated the MS Knowledge Base, and came up with article # 278207 at URL: https://support.microsoft.com/default.aspx?scid=kb;en-us;278207.

The puzzling thing is that this article talks about enabling CRLs, which seems way off the mark!

Thoughts anybody?

A1:it is a somewhat controversial topic - whether a protocol should send the root along with the transaction or not... some apps do and some don't. some protocols allow it, others don't. The general thought is that the relying party must trust the root as part aof an out of band verification process so there is no reason to send it as part of the transaction...

A2:I think that OE6 includes the full CA chain with signed email, but will prompt you if the root is not already trusted (i.e. installed to the ROOT cert store).

Also, OE6 generates a *detached* signature, whereas O2000 generates an *included content* signature.