Using digital IDs to sign or encrypt Windows Mail messages

Using a digital ID, you can digitally sign your e‑mail to prove your identity. You can also use a digital ID to encrypt messages, keeping them private. Here are answers to some common questions about using digital IDs with Windows Mail.

Show all

What is a digital ID?

Digital IDs, sometimes referred to as certificates, allow recipients to verify that an e‑mail was actually sent by you. It's very easy to forge e‑mail return addresses, and using a digital ID helps a recipient know that a message actually came from you. Also, when traveling across the Internet, standard e‑mail messages are the digital equivalent of postcards—they can be read, or even altered, along the way. Digital IDs can be used to encrypt messages, hiding their contents, and they indicate whether a message has been altered in transit to the recipient.

How do I get and set up my digital ID?

In many businesses, your system administrator will provide you with a digital ID. To obtain a digital ID for personal use, you'll need to obtain one from a certification authority, which is an organization that offers digital IDs.

To set up your digital ID

  1. Open Windows Mail by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Mail.

  2. Click the Tools menu, and then click Options.

  3. Click the Security tab, and then, under Secure Mail, click Digital IDs.

  4. Click Import, and then follow the instructions to import your digital ID.

What's an encrypted message?

Typical unencrypted e‑mail messages are sent across the Internet in a plain text format, and as they travel to their recipients, they can potentially be read by prying individuals or automated programs. Encrypted messages are messages signed with a digital ID that are sent in a scrambled format that can only be read by your recipient. However, both the sender and recipient must have copies of each other's digital ID to be able to send and read encrypted messages.

Encryption format information for advanced users

Windows Mail is compatible with the Secure/Multipurpose Internet Mail Extensions (S/MIME) version 2 and 3 specifications, and supports the following encryption algorithms: RC2 (40-bit and 128-bit), DES (56-bit), and 3DES (168-bit). Windows Mail can decrypt RC2 (64-bit) encrypted e‑mail, but cannot send messages using this algorithm. Windows Mail can use only SEA-1 as the hashing algorithm when signing messages. The bit length of your private key varies, depending on the certification authority from which you obtain it and the process used in generating the key.

The private keys are stored on your computer and are only as secure as your computer. Private keys installed using Microsoft cryptographic system components will not be transmitted to the certification authority that issues the digital ID; the keys are not stored in escrow with any government agency.

How do I send a digitally signed message?

While composing an e‑mail message, click the Tools menu, and then click Digitally Sign.

Your message will be sent using your digital ID.

How do I send an encrypted message?

While composing a message, click the Tools menu, and then click Encrypt.

Note

  • Before sending an encrypted message, you must have a digital ID in Windows Contacts for each intended recipient. If you need a digital ID for your recipient, have your recipient send you a digitally signed message. Whenever you receive a digitally signed e‑mail message, Windows Mail automatically adds the sender's digital ID to your Windows Contacts.

How do I read a digitally signed message?

You can read a digitally signed message the same way you would read any other message. To provide further assistance, Windows Mail displays a help screen the first time you open or preview a digitally signed message.

How do I read an encrypted message?

After you send a digitally signed message to a contact, you can read an encrypted message from that person the same way you would read any other message. To provide further assistance, Windows Mail displays a help screen the first time you open or preview an encrypted message.

How can I verify that a digitally signed message I received is authentic?

If you receive a secure message that has a problem (for example, the message was tampered with or the digital ID of the sender is expired), you will see a security warning that details the problem before you are allowed to view the contents of the message. Based on the information in the warning, you can decide whether to view the message.

If you read a digitally signed message while connected to the Internet, Windows Mail will verify the validity of the message by requesting information on the digital ID from the appropriate certification authority. The certification authority sends back information on the status of the digital ID, including whether the ID has been revoked. Certification authorities keep track of certificates that have been revoked due to loss or termination. To view the validity status of a digital ID while reading a message, click the File menu, click Properties, and then click the Security tab.

Where are digital IDs stored?

Digital IDs used by Windows Mail are stored in Windows Contacts. Whenever you receive a digitally signed e‑mail message, Windows Mail automatically adds the sender's digital ID to your Windows Contacts. In some circumstances, you may want to manually add a digital ID to a contact. For example, if the contact listed in the e‑mail message doesn't exactly match the name of the existing contact in Windows Contacts, the digital ID will be stored in a new contact instead of being associated with the existing contact.

To manually add a digital ID to a contact from a digitally signed e‑mail message

  1. Open Windows Mail by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Mail.

  2. Open a digitally signed message.

  3. Click the File menu, and then click Properties.

  4. Click the Security tab, and then click Add digital ID to Contacts.

To manually add a digital ID to a contact from another source

  1. Open Windows Contacts by clicking the Start button Picture of the Start button, clicking All Programs, and then clicking Windows Contacts.

  2. Create a new contact or double-click an existing contact.

  3. Click the Digital IDs tab, and then click Import.

  4. Click the digital ID file that contains the digital ID you want to add to the contact, and then click Open.