Encryption Management Server uses revoked certificates for email encryption

book

Article ID: 162379

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Encryption Management Server may allow revoked certificates to be imported and used for email encryption.

Prior to release 3.4 MP1 the following certificate validation occurs:

  1. If an External User's certificate chain is not trusted, the user's certificate can be imported and is used for email encryption. The revocation status of the certificate is not checked. This can result in messages being encrypted to revoked certificates.
  2. If an External User's certificate chain is trusted, the user's certificate cannot be imported or used for encryption if it is revoked.
  3. Intermediate certificates are imported into Trusted Keys without any validation. This can result in revoked Intermediate certificates being imported and trusted.

Release 3.4 MP1 contains a new configuration setting to enforce stricter certificate validation. When the new setting is enabled, the following validation occurs:

  1. If an External User's certificate chain is not trusted, the user's certificate cannot be imported or used for email encryption. This applies whether or not the certificate is revoked.
  2. If an External User's certificate chain is trusted, the user's certificate cannot be imported or used for encryption if it is revoked.
  3. Intermediate certificates cannot be imported unless the Root certificate is already present.
  4. Intermediate certificates that have been revoked cannot be imported.

If a user certificate is revoked, Encryption Management Server logs a warning like this in the Administration log if it is attempted to be imported, providing the certificate's chain is trusted:

Not importing user "<[email protected]>" (KeyID: 0x0ABC1D23) because the key has been revoked

Resolution

Encryption Management Server includes over one hundred trusted certificates from well known Certificate Authorities. Therefore, the revocation status of many S/MIME certificates will be checked automatically. Exceptions include S/MIME certificates issued by internal Certificate Authorities and certificates found on third party keyservers (Encryption Management Server can be configured to search automatically for certificates on third party keyservers).

To trust a new Root or Intermediate certificate, use the Add Trusted Key button on the Keys / Trusted Keys page of the Encryption Management Server administration console and ensure that the option Trust key for verifying mail encryption keys is enabled.

The new stricter certificate validation available in release 3.4 MP1 and above ensures that email will not be encrypted to a revoked certificate but will probably result in fewer outbound email messages being able to be encrypted. The decision on whether to enable the additional validation is therefore a compromise between convenience and compliance.
 
Please contact Symantec Technical Support to enable the new stricter certificate validation available in release 3.4 MP1 and above.

Additional Information

245103 - Key Revocation of PGP Keys on Symantec Encryption Management Server (PGP Server) - Revoking Keys on PGP Server