I was just wondering if any of you would have an idea on how certificates are used when someone like Microsoft provides a company with a hosted Exchange email solution. Who has the private / public keys when they say they offer an encrypted email solution. It doesn't sound like the users exchange the certs but it's somehow done for them using the appliances, so I don't get it.

You haven't really provided enough information to answer your question. Do you have a link that describes the process you're referring to here? Paul Adare CTO IdentIT Inc. ILM MVP

You haven't really provided enough information to answer your question. Do you have a link that describes the process you're referring to here? Paul Adare CTO IdentIT Inc. ILM MVP Hi Paul I was hoping this question would be addressed by those who are using the Microsoft hosted solution. In which case they would be familiar with the product / process. Here's a link to a brief description of the process, please don't tell me this belongs in an Exchange forum as they tell me this belongs in the Certificate Services forum, LOL: http://www.microsoft.com/online/exchange-hosted-services/encryption.mspx Exchange Hosted Encryption Solution Overview Transparent Encryption and E-Mail Delivery When a user sends an e-mail message, it travels to the Microsoft global network through a Transport Layer Security (TLS)-encrypted tunnel, and is automatically encrypted at the gateway according to rules created and managed within the Microsoft Forefront Online Protection for Exchange module. When a message is encrypted, a private key for the recipient is created and stored in a security-enhanced environment on the Microsoft network. The private key is made available to the message recipient when the recipient decrypts the message. The recipient does not have to pre-enroll to receive and decrypt the message. In fact, the recipient may have never received a prior e-mail from the sender. The Microsoft encryption process is entirely transparent to the sender, who does not need to do anything other than write and send the message as usual. Simple Authentication and Security-Enhanced, Web-based Decryption Upon receiving an encrypted message, the recipient authenticates their identity and sets a password to securely open encrypted messages from the Hosted Encryption service. Once this password is created, the recipient can use the same password to quickly authenticate and view protected e-mail. Password-based authentication provides an easy and secure method to authenticate and verify a recipient’s identity. After completing the authentication and password setup process, the recipient decrypts and views the message using the Voltage Zero Download Messenger. The Zero Download Messenger is a clientless, browser-based method that enables a recipient to have confidence decrypting and reading a message and its attachments and then to reply with confidence. Furthermore, the encrypted message remains in the recipient’s e-mail inbox for access at any time.

They are using a proprietary, 3rd party solution from Voltage Security.Paul Adare CTO IdentIT Inc. ILM MVP

Hi, Excerpt from the article below: MICROSOFT EXCHANGE HOSTED ENCRYPTION http://download.microsoft.com/download/6/2/c/62ca449f-8516-4d43-ac9d-e1f85eae0122/EHS_DataSheet_Encryption_FINAL.doc "Exchange Hosted Encryption incorporates Identity-Based Encryption (IBE) technology in a managed service platform. Developed by Voltage Security, a Microsoft technology partner, IBE is a breakthrough in security and usability for message encryption. Exchange Hosted Encryption eliminates the need for certificates and uses a recipient’s e-mail address as the public key, IBE automatically binds the user’s identity to the public key and eliminates the need for certificates." Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, Excerpt from the article below: MICROSOFT EXCHANGE HOSTED ENCRYPTION http://download.microsoft.com/download/6/2/c/62ca449f-8516-4d43-ac9d-e1f85eae0122/EHS_DataSheet_Encryption_FINAL.doc "Exchange Hosted Encryption incorporates Identity-Based Encryption (IBE) technology in a managed service platform. Developed by Voltage Security, a Microsoft technology partner, IBE is a breakthrough in security and usability for message encryption. Exchange Hosted Encryption eliminates the need for certificates and uses a recipient’s e-mail address as the public key, IBE automatically binds the user’s identity to the public key and eliminates the need for certificates." Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. You sure did say that originally, so sorry I didn't get it the first time, thank you for reposting. I read the document and signed up for their evaluation period to see how this thing works, and have a better idea but it's still not the equivalent of using actual certificates and public and private key pairs, (not saying they claim to though). I say that because I think you can't show repudiation or use that system for digital signatures.