Troubleshooter: Using OWA with S/MIME-Based Advanced Security Features

We plan to start using Exchange Server's Secure MIME (S/MIME)­based advanced security features. Will Outlook Web Access (OWA) users be able to read and send encrypted or signed messages?

Perhaps. S/MIME is a client-side protocol. When Alice sends Bob an encrypted message, the S/MIME client encrypts the message on Alice's computer. The message remains encrypted on the Exchange server until Bob's computer decrypts it, at which point Bob can leave the encrypted version on the server or replace that version with the decrypted version. The same is true for signed messages: The signer signs the message before it leaves the computer. Although this approach is more secure than requiring users to store their encryption keys on a central server, users can't decrypt messages without a local copy of their private encryption key. POP or IMAP S/MIME clients can retrieve and read S/MIME messages, provided that users have local copies of the certificates. However, OWA users can't, because OWA can't read the certificate (assuming one exists) from the local machine. Technically, Microsoft could add code to OWA's client-side controls to make them capable of using locally stored certificates to read and verify S/MIME messages. If you'd like to see this feature implemented, I suggest you write to [email protected].