When sending an encrypted message from Microsoft Office Outlook 2010 to a recipient using a third-party email client, such as Lotus Notes, Entrust, SeaMonkey, or Thunderbird, the recipient may not be able to read the encrypted message. In the case of the Thunderbird email client, it may display the following message in the body of the message when they open it:
Thunderbird cannot decrypt this message
The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.
- If you have a smartcard, please insert it now.
- If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12".
The Thunderbird client may display the following warning:
Message Has No Digital Signature
This message does not include the sender's digital signature. The absence of a digital signature means that the message could have been sent by someone pretending to have this email address. It is also possible that the message has been altered while in transit over the network. However, it is unlikely that either event has occurred.
Message Cannot Be Decrypted
This message was encrypted before it was sent to you, but it cannot be decrypted. There are unknown problems with this encrypted message.
Also, Microsoft Entourage 2008 (included in Microsoft Office 2008 for Mac) and Microsoft Outlook 2011 for Mac may be unable to decrypt email messages sent from Outlook 2010. You may see the following error on Outlook 2011 for Mac:
The security of this message cannot be verified because of an error.
Some Blackberry users may also receive error messages in this case. The error displayed will be as follows:
This S/MIME data is encrypted but cannot be decrypted
because the required private key is not present on your handheld.
You may update your handheld's key store using the
certificate synchronization software in the BlackBerry desktop manager.
The missing certificate corresponds to one of the
following serial number, issuer pairs:
Outlook 2010 now more fully implements the Cryptographic Message Syntax (CMS) as documented in RFC 5652. Outlook 2010 now uses subjectKeyIdentifier as the SignerIdentifier, whereas earlier versions used issuerAndSerialNumber. Some email clients or third-party operating systems do not yet support using subjectKeyIdentifier as the SignerIdentifier, as defined per the RFC. This results in it being unable to decrypt the message.
For more information regarding the RFC, go here: http://tools.ietf.org/html/rfc5652
The recipient should check with their email client vendor to determine if an update to address this issue is available for their email client.
As a workaround, on the sender's client, you can use the following registry value to make Outlook 2010 revert to the behavior found in earlier Outlook versions.
Important This method contains steps that tell you how to modify the registry. However, serious problems may occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For more protection, back up the registry before you modify it so that you can restore the registry if a problem occurs. For more information about how to back up and then restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows