[Top] [All Lists]

RE: Does Smime works fine with Windows 2000 PKI

2000-05-11 11:29:45
Free only if you own Windows 2000, but yes that means free for most folks
eventually.  However, most of the costs associated with a PKI are not in the
actual technology, but rather in the legal side of things.  Outsourcing to a
CA vendor such as Baltimore, Entrust or Verisign allows you to offset the
soft costs to a company which has already done its legal home work for you.
There is a lot of discussion on the cost/benefits on inhousing a CA which
can be found in EMA sessions, often available on  Also look at for interoperability testing (not just white papers here).  EMA
has recently published the findings of a large test regarding PKI interop
which involved many vendors, the federal government and this is available
again at  I don't know if the tests have included W2K in the
past but we can ask Microsoft to participate as they are an ongoing process.


-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Piers 
Sent: Thursday, May 11, 2000 1:17 PM
To: 'Laurent Deffranne'; 'walter.williams'
Cc: 'ietf-smime'
Subject: RE: Does Smime works fine with Windows 2000 PKI

MS have published a White Paper on Win2k PKI interoperability with other
leading PKI vendor products.  The WP is available on their MSDN website
(can't remember where but it's called win2kpkinterop.doc).

In my experience Win2k PKI is excellent as choice for an
Enterprise PKI.  It
integrates well with AD (not surprisingly).  However, as a commercial PKI
the best thing that can be said about it is that it is free.  And that
probably sums it up succintly.


-----Original Message-----
From: Laurent Deffranne [mailto:Laurent(_dot_)Deffranne(_at_)dexia(_dot_)be]
Sent: 11 May 2000 14:19
To: walter.williams
Cc: ietf-smime
Subject: RE: Does Smime works fine with Windows 2000 PKI


Do you mean that there are difficulties to access through LDAP an Active
Directory, as you want to read or use X509 certificates ?

By the way,does somebody know issues about Active Directory LDAP, or
issues to read a certificate in an Active Directory ?

For me it would be a mistake to use now the "brand new" Active
Directory, but if someone could tell me where I can find proofs of lack
of compatibility (from Microsoft, there must be surely one of two), this
would interrest me.


11/05/2000 14:54
To:   Laurent Deffranne/GKBCCB(_at_)GKBCCB, 

Subject:      RE: Does Smime works fine with Windows 2000 PKI


Yes, certs issued from a W2K CA can be used for S/MIME, and no less so
certs issued from Baltimore, Iplanet or any other CA vendor or product.
main issue is not will they work, but will you be able to validate the
certs.  Unless the person issuing the cert from W2K has provided you
their server's cert, or they have certified their CA with the signature
the publicly known CAs you will not be able to easily verify the
to its source.  This is not the most technically acurate way of saying
but I'm not awake yet.  Baltimore has preregistered there CA with the
vendors distributing products, as has Verisign, Thaught, and many
Just make certain that you have the certificates for the W2K CA, and
to its revocation list so you can validate properly and you'll be fine.

Walt Williams
Senior IT Analyst

Please note: GTE Internetworking is now Genuity.

-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Laurent 
Sent: Thursday, May 11, 2000 5:45 AM
To: ietf-smime
Subject: Does Smime works fine with Windows 2000 PKI

Hi everybody,

Just a question :

Is there any known issues using S/MIME with Win2000PKI-certificates ?
More generally, are Win2000 certificates usable with (and
understood by ) the others mailers (especially Lotus Notes,
Netscape, Eudora +plug-in?)

Isn't Baltimore Unicert a "better choice" due to its greater
compatibility ?

Any advices are welcome.


Laurent Deffranne