Exchange 2003 Support for PKI

With an understanding of the options available for the e-mail client in an Exchange 2003 system, the options available for PKIs that support these e-mail clients can be discussed.

As discussed in Components of an Exchange 2003 Message Security System, PKI in Exchange 2003 primarily interacts with the e-mail client. The decision as to which PKI should support Exchange 2003 message security is governed by considerations related to the e-mail client.

Support for the S/MIME standard in Exchange 2003 also means that the PKI decision is influenced by considerations directly related to PKI. If the PKI chosen supports the S/MIME version 3 standard, it is a viable PKI for an Exchange 2003 message security system. This support provides flexibility. Deploying PKI can be a complex and demanding project. Deciding PKI deployment based on considerations related directly to PKI makes deploying PKI more viable and increases the likelihood of success. Many organizations already have existing PKIs or are already implementing PKIs. Basing message security on the S/MIME standard increases the chances that these PKIs can be used in Exchange 2003 and eliminates the need to start anew by deploying and maintaining a separate PKI only to support message security. If PKI can support S/MIME version 3, you can use it as part of an Exchange 2003-based message security system.

In previous versions of Exchange, Exchange provided some or all of the functions normally associated with the PKI through Key Management Service. In Exchange 5.5 and earlier versions running Windows NT® version 4.0 and earlier, the Key Management Service provided all functionality associated with PKI. Windows® 2000 Certificate Services, with its support for S/MIME version 3, assumed many of the functions that the Key Management Service previously performed. The integration of Exchange 2000 with the Microsoft Active Directory® directory service further eliminated functionality from the Key Management Service. In Exchange 2000, the Key Management Service only provided functionality to handle the archiving and recovery of private keys, a function not provided by Windows 2000 Certificate Services.

With Windows Server™ 2003, the certification authority (CA) now provides key recovery and archiving, and makes available the functionality previously associated with the Key Management Service. With all of the functionality needed for message security available in Windows Server 2003, the Key Management Service has been removed entirely in Exchange 2003. By removing any key management functionality from Exchange, Exchange now requires only an e-mail client that supports S/MIME version 3 digital certificates.

Because support in Exchange is wholly standards-based, customers have options available to them for PKI. They can use the S/MIME version 3 certificates made available in Windows Server 2003, which allow for automatic enrollment and automatic integration into an Active Directory environment running Windows 2000 Service Pack 3 or later. As an alternative, customers can implement another PKI that supports S/MIME version 3 and integrate it in with their e-mail client support directly. Customers can also implement a PKI that includes Windows Server 2003 and other certificate services. Customers can decide to not implement their own PKI and, instead, rely on S/MIME version 3 certificates offered by public certification authorities.

Because each organization has different requirements and capabilities regarding PKI, the support that Exchange 2003 provides for the S/MIME standard allows for flexibility in PKI to support message security. Together with the broad options for e-mail clients, customers can build systems that meet their specific needs.

With an understanding of what technologies make up a message security system, it is helpful to apply this understanding to how the services that make up S/MIME (digital signatures and message encryption) function.