Or look at the website by Ian Grigg who also wrote the above article:
http://iang.org/ssl/
That said, you may want to introduce SSL certificates issued by a non-profit CA within your organization. I propose you go with http://www.cacert.org for this matter. They will, however, not provide sub-CA's (as they could not fully trust them which would decrease the overall trust of their web of trust). I assume that CACerts root certificates will be included in the next maor releases of the major web browsers.
Alternatively, you can still setup your own CA, of course as proposed before in this thread.
II. Make your short-time emloyees use SSL certificates used by CACert.
This will not only allow you to use email certificates but also certificates for many other uses which will be availabe free of charge. The drawback about this is that you will still need to make your whole organization install the CACert root certificate. But this is a one-time job, as easy as clicking on a URL. And an enterprise grade IT management will allow to pass root certificates on within the IT hierarchy in a mostly automated way.
III. Make all of your organization or part of it use a GPG/PGP infrastructure
To use GPG with Outlook, while I do not recommend using Outlook in general (if you are lucky enough to be able to choose), I recommend using GPGRelay:
http://sites.inka.de/tesla/gpgrelay.html
To gain a quick understanding of their implementation, have a look at:
For the additional software it needs, I propose you go with the Nullify builds of GPG (achieves broader compatibility - when compared to original GPG - by allowing the use of patent-encumbered algorythms) and GPGShell as a UI. However, if you prefer to have a look at the source, go with WinPT instead of GPGShell.
All of the above solutions are completely free in means of licensing. The initial setup of these may take more time than you would expect when mostly used to commercial software, though. Nevertheless, the money your organization saves short or mid term, the experience and broader view one gets and the - in my opinion - increased security - by more trustable certificate issuers make it worth spending a couple of minutes or hours on it.
Hope this helps,
Moritz Naumann
Nathaniel Hall wrote:
> I currently am using Thunderbird with Enigmail so
> that I can digitally sign and encrypt e-mail. Since
> there are only two of us that use Thunderbird in our
> organization, I would like to find a way to use PGP
> from within Outlook.
> I am aware that Outlook supports digital IDs from
> Geotrust and Verisign, but I would like to find
> something that will let our students participate in
> using the digital signatures without having to pay
> for one and with the adjunct faculty we hire on a
> per semester basis, the benefit of using digital
Hi Nathaniel,
I can think of three acceptable ways to reach your goal, but I cannot say which of them is feasible to you.
I. Make your organisation choose a non-profit CA.
As you probably know, unlimited trust in SSL certificates issued by commercial CAs such as the ones you name has security implications by itself.
For further reading on this topic I propose you have a look at this article whichI like a lot (but I am not affiliated with the author):
http://www.financialcryptography.com/mt/archives/000206.html
Or look at the website by Ian Grigg who also wrote the above article:
http://iang.org/ssl/
That said, you may want to introduce SSL certificates issued by a non-profit CA within your organization. I propose you go with http://www.cacert.org for this matter. They will, however, not provide sub-CA's (as they could not fully trust them which would decrease the overall trust of their web of trust). I assume that CACerts root certificates will be included in the next maor releases of the major web browsers.
Alternatively, you can still setup your own CA, of course as proposed before in this thread.
II. Make your short-time emloyees use SSL certificates used by CACert.
This will not only allow you to use email certificates but also certificates for many other uses which will be availabe free of charge. The drawback about this is that you will still need to make your whole organization install the CACert root certificate. But this is a one-time job, as easy as clicking on a URL. And an enterprise grade IT management will allow to pass root certificates on within the IT hierarchy in a mostly automated way.
III. Make all of your organization or part of it use a GPG/PGP infrastructure
To use GPG with Outlook, while I do not recommend using Outlook in general (if you are lucky enough to be able to choose), I recommend using GPGRelay:
http://sites.inka.de/tesla/gpgrelay.html
To gain a quick understanding of their implementation, have a look at:
http://sites.inka.de/tesla/data/gpgrelay_overview.png
For the additional software it needs, I propose you go with the Nullify builds of GPG (achieves broader compatibility - when compared to original GPG - by allowing the use of patent-encumbered algorythms) and GPGShell as a UI. However, if you prefer to have a look at the source, go with WinPT instead of GPGShell.
All of the above solutions are completely free in means of licensing. The initial setup of these may take more time than you would expect when mostly used to commercial software, though. Nevertheless, the money your organization saves short or mid term, the experience and broader view one gets and the - in my opinion - increased security - by more trustable certificate issuers make it worth spending a couple of minutes or hours on it.
Hope this helps,
Moritz Naumann
Nathaniel Hall wrote:
> I currently am using Thunderbird with Enigmail so
> that I can digitally sign and encrypt e-mail. Since
> there are only two of us that use Thunderbird in our
> organization, I would like to find a way to use PGP
> from within Outlook.
> I am aware that Outlook supports digital IDs from
> Geotrust and Verisign, but I would like to find
> something that will let our students participate in
> using the digital signatures without having to pay
> for one and with the adjunct faculty we hire on a
> per semester basis, the benefit of using digital
> signatures would be overcome by the cost.
>
> Does anybody know of a way to do this for free?
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]