The Encryption Management Server Verified Directory service allows users to publish their PGP keys and search for keys using the Verified Directory web portal.
Keys uploaded using the portal appear in the Encryption Management Server administration console under Consumers / Users / Verified Directory Users.
Verified Directory User keys can be used to encrypt email messages.
However, some Verified Directory keys cannot be used, even though the key appears under Consumers / Users / Verified Directory Users and you can find the key using the Verified Directory web portal:
These unusable keys uploaded using the Verified Directory portal almost always contain an S/MIME certificate. Although only PGP keys are supported by Verified Directory, some PGP keys include an S/MIME certificate. The following types of keys will include an S/MIME certificate:
Symantec Encryption Management Server 3.4.2 and above.
The key uploaded using the Verified Directory portal is not signed by the Verified Directory Key.
If you navigate to Reporting / Logs and select the Administration log, errors like this appear when the key has not been published correctly:
Failed to publish key "User Name <[email protected]>" (KeyID: 0xD5FBAC28) : cannot delete derived object while source object is present
Couldn't delete signature 0x12ca9e0: cannot delete derived object while source object is present
Even if a user can be found using the Verified Directory portal, if you see the error: The public key could not be found. It may have been removed when trying to download the key, it means that the key has not been signed by the Verified Directory Key and is unusable:
There are several ways of working around this issue:
If the user is classified as an External User, its key will be usable for encrypted email. Note that External Users will not be found when searching the Verified Directory portal. Please do the following:
The Verified Directory service can use a Vetting Method of Implicit, Manual or Email. Implicit vetting can be more likely to result in keys not being signed by the Verified Directory Key.
Therefore, if you are using Implicit vetting and some keys submitted using the Verified Directory portal cannot then be found in the portal or used for email encryption, it may be worth changing the vetting method to Manual or Email. Note that with Email vetting, a verification email will be sent to the email address associated with the key:
If manual or email vetting resolves this issue but you have a key that was published using implicit vetting, it may be worth republishing the key using manual vetting:
By default, the mail rules that encrypt email messages have the Require verified key option enabled within the Action:
Disabling Require verified key will allow email messages to be encrypted to keys that have not been signed by the Verified Directory Key.
Broadcom is committed to product quality and satisfied customers. This issue is currently being considered by Broadcom to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this article periodically as any changes to the status of the issue will be reflected here.