Information
This policy setting controls whether Outlook verifies the user's e-mail address with the
address associated with the certificate used for signing. If you enable this policy setting,
users can send messages signed with certificates that do not match their e-mail addresses.
If you disable or do not configure this policy setting, Outlook verifies that the user's e-mail
address matches the certificate being used for signing. The recommended state for this
setting is- Disabled.
*Rationale*
By default, when a user digitally signs a message, Outlook 2010 compares the user's e-mail
address with the certificate used for signing. The user's e-mail address must appear in
either the Subject field or the Subject Alternative Name field of the certificate, or Outlook
will not allow the user to sign the message with that certificate. If this configuration is
changed, users can send messages signed with certificates that do not match their e-mail
addresses, which could cause problems when the recipient attempts to read the message or
verify the signature.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Disabled.
User Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography\Do not check e-mail address against address of certificates
being used
Impact-Disabling this setting enforces the default configuration in Outlook 2010, and is therefore
unlikely to cause usability issues for most users.