WHen you want to implement mail signing and/or encryption wit the Outlook/Exchange products, you are faced to different choices. One involves to know which Exchange S/MIME template you should choose among all Certificate templates.
First of all, please remember that S/MIME may help to achieve the following goals:
- message authentication: this is to be sure that the sender is who (s)he claims to be
- message integrity: so we know the message hasn’t been altered between the sender and the recipient
- message confidentiaility: so the message cannot be seen by any man-in-the-middle
To achieve message authentication and message integrity, you should implement message signing whereas to implement message confidentiality you would implement encryption.
As these capabilities are linked to a user’s email, you would think that the template ‘user’ is the best to fulfill this role. In fact there are multiple reasons which go against this choice:
- The user template is made for several things: Encrypting File System (EFS), Secure Email, Authentication. You do not want necessarily to grant this usage to all users or to grant them with the same certificate
- The AD user object has two fields which may hold certificates: userCertificate and userSMIMECertificate. As above, you may need / want / prefer to separate those roles
- Additionally, remember that you are implementing authentication & message integrity on one side and encryption on the other side. You may also want to separate these roles also.
In particular, you may want to be able to decrypt messages if the user is (no longer) available. For this, you would need to do key archival on the certificate used for encryption. But for message signing, key archival makes less sense.
Therefore a best practice is to use:
Please note that you should not publish these templates but make copies of them so you can customize duration or CSP/KSP if you’re using a HSM.