Re: Outlook 98 Security "Feature"

From: Paul Leach (paulleat_private)
Date: Thu Jan 21 1999 - 14:26:37 PST

Next message: James Egelhof: "Re: WebRamp M3 remote network access bug"

Previous message: Flavio Veloso: "Re: Nobo and Netbuster Dos"
Maybe in reply to: Todd Beebe: "Outlook 98 Security "Feature""
Next in thread: Valdis.Kletnieksat_private: "Re: Outlook 98 Security "Feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private]
> Sent: Thursday, January 21, 1999 2:02 PM
> To: Paul Leach
> Cc: BUGTRAQat_private
> Subject: Re: Outlook 98 Security "Feature"
>
>
> On Thu, 21 Jan 1999 10:47:46 PST, you said:
> > > From: Todd Beebe [mailto:toddat_private]
> > > After successfully receiving incoming email which is signed and
> > > encrypted(Using Verisign Certificates on both ends), the
>
> > Since the error message from Outlook means that it can't
> find the keys of
> > any of the recipients in order to encrypt the reply,
> exactly _how_ do you
> > expect it to do so?
>
> Now, I may mis-understand public key encryption, but..
>
> If it was *signed* and *encrypted* both, that means it was encrypted
> with the other person's private key to sign, then your public key to
> encrypt.
>
> You then decrypt with your private key, and verify signature with the
> other person's public key.  If it was received correctly, you must
> have both of these keys.
>
> So why don't we have our private key and the other person's public key
> when it comes time to send an ecrypted/signed reply?

Sounds right. That wasn't my point though. The complaint was that the
default wasn't to send encrypted replies to encrypted messages. Just from
the description of the problem in Todd's message, however, it appeared that
it _was_ by default trying to encrypt the reply, and couldn't, because it
_thought_ it didn't have the keys. Hence there is no bug in its defaults.

I was thinking when I wrote it that maybe it didn't think it had the
recipients' certificates in some directory or address book or etc, when it
really did, and that that was the bug. As you point out, it can't be that --
intrinsically it must have the keys. So, that's where the bug would seem to
be -- not in its defaults about the way to reply to encrypted messages.

I don't work in Outlook, but I forwarded the problem report to some people I
know; they're looking at it.

Paul

Next message: James Egelhof: "Re: WebRamp M3 remote network access bug"
Previous message: Flavio Veloso: "Re: Nobo and Netbuster Dos"
Maybe in reply to: Todd Beebe: "Outlook 98 Security "Feature""
Next in thread: Valdis.Kletnieksat_private: "Re: Outlook 98 Security "Feature""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:44 PDT