[Users] SMIME - Validity Discrepancies.

ENI info at endeavor-networks.com
Wed Sep 17 20:02:41 CEST 2014


>>> 
>>> Receiver sees the Signature OK icon, and the statement "Good
>>> signature from <sender name>".
>>> 
>>> If the receiver clicks on the Signature OK icon, the message pane
>>> conveys:
>>> 
>>> Good signature from 
>>> uid "CN=<redacted>" (Validity: Unknown)
>>> uid "<redacted>" (Validity: Unknown)
>>> 
>>> Q2 - Why the discrepancy (Signature OK vs. Validity:Unknown)?
>>>  
>> 
>> There's no discrepancy, these are different concepts:
>> https://www.gnupg.org/gph/en/manual/x334.html
>> 
>> HTH,
>> -- 
>> Ricardo Mones 
>> 

Ricardo or Other:

Keeping in mind that the following conditions exist:

Our sender and receiver have each imported the X.509 Root CA and
Intermediate CA certs, and have disabled CRL checking in the GPA
Backend Preferences, as CRL has not been implemented.

Actually, lets simplify the situation further. The sender and receiver
email accounts are configured in the same CM installation, on the same
system. GPA Key Manager's lower pane indicates "Fully Valid" for all
keys, while the upper pane indicates "Unknown" for the Intermediate CA
and user keys.

Q1. What would be required for the receiver to see something more
assuring than:

Good signature from 
uid "CN=<redacted>" (Validity: Unknown)
uid "<redacted>" (Validity: Unknown)

... when they click on the Signature OK icon?


Q2. Would "(Validity: Unknown)" be solely due to the absence of a CRL
check, or some other cause?

Q3. Would "(Validity: Unknown)" be an indication that we should believe
the validity status conveyed in Key Manager's upper pane, and disbelieve
the validity status conveyed in the lower pane?


Following the initial importation of the Root CA certificate, we were
presented with a pop-up dialog when we clicked on that key in the Key
Manager's list. That dialog allowed us to convey that we ~ trusted the
key/cert and that it's fingerprint was correct.

When we disabled CRL checking in the GPA Backend Preferences, the
Key Validity status indicated in the lower pane of Key Manager,
transitioned from "Incomplete" to "Fully Trusted" for the Intermediate
CA and user keys.

Other than that, we have not observed any other means of manually
affecting key validity for X.509 keys/certificates in GPA.

Regards,
ENI



More information about the Users mailing list