Why Microsoft Requires Your Certificate Before Encrypting an Email

Microsoft doesn’t allow sending public-key encrypted messages using Outlook 2003-2012 on Windows 7-8x environments without first creating your own Digital ID or private key for signing.

Per Microsoft, before encrypting an email to someone else, “it is required that both parties have valid digital certificates for email signing and encryption at the first place.” Why? If I have someone’s public key, why do I need to have my own – valid or invalid – certificate? I am not signing the message, just encrypting it so that only the recipient can read it.

Understanding the Requirement

Technically, there is no reason to require the sending party to have a key/certificate to send an encrypted message. However, for security reasons, this is enforced because if the recipient then replies to this message, security cannot be ensured unless a public key or certificate is embedded in the message.

This requirement may be built into the S/MIME protocol or PGP/MIME protocol. However, for PGP/INLINE, it should be possible to encrypt using only the recipient’s public key. There might be some security setting somewhere in Enigmail that prevents embedding your key into the message, thus allowing it to be encrypted without the sender’s key.

Regarding S/MIME on Outlook, there is no such setting, and from what I understand, it is part of the protocol. Even Apple phones require a sender+recipient key to encrypt a message.

Leave a Reply

Your email address will not be published. Required fields are marked *