search cancel

Verified Directory Submission Permissions can overwrite keypair data when enabled

book

Article ID: 150386

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

 

Resolution

Verified Directory Submission Permissions allow both Internal Users and Verified Directory Users to submit keys for future key searching functionality.  The default behavior when submitting keys via Verified Directory is keys will go into a pending state, which require the Verified Directory Administrator to manually approve the key.  Once the Administrator approves the key, the key is then uploaded.

If a Verified Directory Administrator allows submissions to be made (outside default behavior), then these Internal Users, or Verified Directory users can upload key material to change what is on the server.

If an Internal User with a keypair stored on the Symantec Encryption Management Server uploads the same key to the Verified Directory, the keypair will be replaced with only the public key of the user and the keypair previously stored on the server will be discarded.  Symantec recommends using the default settings for Verified Directory where Internal Users are not able to upload keys to the Verified Directory.  Alternatively, a second server with no Internal Users can be deployed solely as the organization’s Verified Directory or Internal Users can submit keys to the PGP Global Directory at https://keyserver.pgp.com.

When the Key ID is different, but the email is the same, the user will be asked to replace the key, and permission is needed. 

Vetting Method
If "Implicit" is used, the key will simply be imported.  If "Manual" is used, the Administrator must approve the key.  If "Email" is used, the user associated to the email of that key will receive an email to approve the change.

Symantec recommends using the default Email vetting method.

Allow Submission
If, for any reason, the Verified Directory Administrator does not wish end users to make changes to keys that are on the keyserver, public or private, uncheck the option to "Allow Submission" for either Internal Users or Verified Directory Users, or both.  Special consideration must be made to make sure key data is not overwritten without intended results.

 

Etrack: 3895472