Re: outlook.com is not offering "end-to-end" email encryption
The link you provide is to the desktop app, which supports S/MIME
And has at least since 2003. Unfortunately, few people use it, probably because:
- X.509 PKI has always been, and remains, a mighty clusterfuck for non-experts to administer and use. Actually, it's a mighty clusterfuck for experts too; we're just aware of it.
- Users would have to obtain certificates from public CAs if they wanted recipients outside their organization to be able to verify their signatures, and that costs money.
- At least in the past, signatures weren't timestamped, so you had the usability problem that old messages would eventually start showing signature errors when the signing certificate expired. It's not much of a concern if you checked the signature before the certificate expired,1 but it's annoying and confusing for users. I don't know if that's been fixed.
- The usual critical-mass problem: It's never become sufficiently popular to drive further adoption simply by its own popularity.
- Many security professionals, who might otherwise have helped drive S/MIME adoption, stick with PGP2 instead.
- Outlook's S/MIME implementation has been problematic.
Personally, I trust Outlook's S/MIME more than whatever Microsoft is now touting as "Outlook end-to-end encryption" (even if that S/MIME implementation was largely useless as recently as last year). But in practice when I need encrypted email I use PGP, as only a few people I correspond with are set up for S/MIME.
1Except for the revocation problem. The issue there is that CAs remove expired certificates from CRLs and OCSP responses, because otherwise their lists of revoked certificates would grow unbounded. But that means that once a certificate has expired, you can't tell whether it was ever revoked (unless you saved that information yourself). Of course timestamps don't solve this problem, and arguably aggravate it. But revocation is its own special circle of PKI Hell.
2Well, with some OpenPGP implementation, usually gpg.