S/MIME Gotcha

I recently reenabled S/MIME signing in my Outlook client. (S/MIME is a way to place a digital signature on an email message so the receipients can verify the sender.) When I tested sending mails back and forth to myself through my various clients, I had no problem. However, when I started sending email to other receipients, they all had issues opening the mail – most with the error message “Your digital ID name could not be found by the underlying security system.”
This error is normally associated with difficulty opening encrypted mail. Since I wasn’t using encryption, I couldn’t fathom why this was happening. Many Google searches and Microsoft Knowledge Base articles later, I still hadn’t found a solution. I finally had an “Ah-hah!” moment and found the problem. So, in the hope that someone will be spared some of my pain, here’s my problem and solution.
I configured Outlook 2007 to use SHA512 for the signature algorithm. Unfortunately, this is not as widely supported as one might hope. Even on another Outlook 2007 installation at work, SHA512 couldn’t be opened. Changing the signature algorithm back to SHA1 let everyone start seeing my emails again.
The “Your digital ID name could not be found by the underlying security system” error message is grossly misleading in this case! The system should really be reporting something like “The security system does not support the algorithm used to sign this message.” I don’t normally bash Microsoft, but in this case… you dropped the ball guys! Since SHA1 has started to show some signs of weakness, I’m hopefully that SHA512 will be more widely supported in the future. But until then, keep your S/MIME certificates set to SHA1 and AES256!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.