Rolling out encryption for internet email to the enterprise
Category
More of a question then a statement. A site I deal with wants to deploy the ability for all users to send/receive encrypted email and/digital signatures via internet email. There are numerous ways to go on this. Lets work on an assumption that its about 3000 users. I would like to know if anyone has any particular preferences on how to go about this based on experience. I would just usually turn to using the CA process and deploying x509 certificates as needed.
But before I do this, does anyone have an alternative they have implemented and would recommend?
On a side note, whatever way I do implement this, I will blog post the implementation from start to finish, and add it to my references page. If its done in time (and if I get accepted!) I will present it at ILUG aswell.
More of a question then a statement. A site I deal with wants to deploy the ability for all users to send/receive encrypted email and/digital signatures via internet email. There are numerous ways to go on this. Lets work on an assumption that its about 3000 users. I would like to know if anyone has any particular preferences on how to go about this based on experience. I would just usually turn to using the CA process and deploying x509 certificates as needed.
But before I do this, does anyone have an alternative they have implemented and would recommend?
On a side note, whatever way I do implement this, I will blog post the implementation from start to finish, and add it to my references page. If its done in time (and if I get accepted!) I will present it at ILUG aswell.
- 
Comments
Posted by Henning Kunz At 19:13:56 On 12/02/2008 | - Website - |
IMHO the built-in S/MIME functionality of the Notes client is perfect, if a very limited number of persons are exchaning emails with a very limited number of external receipients and senders. Else, it easily gets an Administrator's (or help desk's) worst nightmare.
Each person must care for accepting other's certificates, each must know, how others get their certificate (by sending a signed email), and I don't remember, how name changes are handled?!
I second Henning's proposal to look for a gateway solution, which also enables virus scanning, which is not possible at the server in case of an end-to-end encryption.
AFAIK PGP is offering such an solution, and Group Technologies does (iQ.Suite Crypt: { Link } )
Thomas
Posted by Thomas Bahn At 20:57:31 On 12/02/2008 | - Website - |
There are more gateway offerings around these days so have a look, can't recommend any from personal experience though.
Posted by Peter Smith At 10:04:38 On 13/02/2008 | - Website - |
This gives the advantage that if one member of the organisation accepts an incoming certificate, ALL members will be able to use it for sending encrypted mails.
The danish company Inopi { Link } used to sell such a solution (probably still do, but I can't find it on their website), and there are probably others out there.
I think an important question though is, whether it is clever to handle the CA process yourself rather than using "accepted standards" on the market, like Verisign { Link } or the like.
Posted by Lars Olufsen At 10:10:40 On 13/02/2008 | - Website - |
Posted by Jesper At 10:06:15 On 15/02/2008 | - Website - |
Posted by Mark Dowling At 16:49:41 On 15/02/2008 | - Website - |