This package updates your CompanyCRYPT to version 1.4.0.
General benefits, added features und new functions since release of 1.3.1:
- Auto Key Import
Keys and certificates may now be imported automatically:
- S/MIME certificates import is controlled by issuer and 'introducer' status.
- A selectable introducer status helps to still use a larger pool of CA's for signature verification.
- Protection from overwriting existing keys.
- Even private keys may be automatically imported, if sharing a common password.
- Selectable notifications on all events (with customizable templates).
- Administrative action is no longer needed to set up encryption between internal user and external partners.
- S/MIME certificate chain support
More and more (especially gateway) certificates are no longer issued by Trustcenter root CA certificates.
Instead Sub-CA certificates are used, which are commonly not included in client certificate stores.
Hence making it impossible for the external partner to verify the signature. CompanyCRYPT helps you to
circumvent this effect by including all certificates of the issuer chain.
- Outgoing signing: Issuer certificates are included in all S/MIME signatures.
- Incoming verification: Included certificates are used for signature verification (excluding the last root certificate).
- WebGUI reorganized
As more and more functions were added, it became necessary to adopt the WebGUI to access these functions more efficiently.
- A new startup view provides a more intuitive way to access to administrative functions.
- Most list views are now sorted in pages to cut down the amount of HTML code. This has taken a very positive effect on the display speed.
- The update tab lets you more easily see, if CompanyCRYPT is up-to-date.
- Log views let you parse in the available history and, if needed, can be expanded to display a larger portion.
- Key files can now be uploaded from your desktop straight into the import area.
- Modzilla Firefox is now supported.
- MIKE (Keyserver) can be used by internal users
Internal users may pass their personal key to external partners by addressing an email request to MIKE and typing the target address for the
key in the subject. This will result in the usual (template based) key-reply, addressed to the external partner. In this context,
the automatic key generation may be used to generate an internal user key.
- Improved 'Decrypt Summary' appearance
As most clients use a large Times-New-Roman font for displaying unspecified text, the decrypt summary never really looked pretty.
This is changed now by using formatted HTML.
- Customizable title line.
- Selectable HTML/CSS style (especially for Lotus Notes clients).
- Adjustable font size.
(A word for those who expect templates: Due to the multitude of variations, it's unlikely we will ever see a
template based solution. However, don't hesitate to tell us how you want the decrypt summary to look like and we will
see how close we can develop to this.)
- New tool 'SyncMAnager'
A new tool (SyncManager.exe) has been added. It's main purpose is to help setting up synchronisation in
distributed environments. It's located in the CompanyCRYPT installation folder and provides the following functions:
- Entering licence details.
- Setting up synchronisation.
- Configuring local (system specific) parameters.
Miscellaneous:
- Usability improvements
- All notifications and especially the MIKE/Keyserver-replies are now also using HTML templates for the body
text.
- User controlled encryption can now be additionally triggered by fully configurable MIME header lines. This
opens opportunities to use Groupware specific functions (i.e.: Lotus Notes: X-Notes-Item: 1; encrypted)
- The processing options for a user ('-controlled') requested encryption have been expanded. If PGP or S/MIME
keys are not available, the administrator may now select what to do next (Send Ad-Hoc encrypted, raise a fail condition,
send plain).
- For faster examination, known issuer in S/MIME certificates are linked to the issuer certificate within the
'Trusted CA Store'.
- Compatibility improvements
- PGP/MIME:
Some Linux-KDE and Macintosh email clients don't exactly follow RFC 3156 and add a Content-Transfer-Encoding
line (7Bit) in the MIME header after encryption. Though unnecessary, because the new container type
is multipart, this may not harm during transmission. Unfortunately after decryption the original
content transfer encoding is transferred back to the header, additional to the 7Bit-encoding line.
In this case the client either produces an error or displays the content wrong. CompanyCRYPT will now
automatically correct this.
- WEB.DE:
This internet freemailer even offers a S/MIME functionality in the web portal for it's freemail accounts.
However we have seen encrypted container that hold the complete original MIME header instead of only
the content lines (as defined by RFC). This may result in a doubled display of sender and/or recipients.
CompanyCRYPT will automatically remove these unnecessary lines.
- Outlook:
If the internal mail system adds empty lines (CRLF) to the end of a multipart message (after the
last multipart boundary), it is likely that S/MIME signatures made on these messages are declared invalid
by an external 'Outlook' recipients. The error messages say, that the content were changed after signing.
It seems that Outlook 'cuts away' the trailing CRLF before checking the signature. To avoid this, CompanyCRYPT
now checks for such lines and removes them before signing the message.
Security issues:
- S/MIME Module (OpenSSL) update to v0.9.8g
The latest version of OpenSSL is part of this update. Most of the development steps are of no effect for
CompanyCRYPT. Only the change from 0.9.8d to 0.9.8e did solve a problem that experienced during testing
("Various ciphersuite selection fixes"). The following links provide more details.
Problems addressed from release v1.3.1:
- Decrypt summary language
It was not possible to select the option 'NONE' via the WebGUI. This has been fixed.
- Permanent lockfile
Due to incorrect routine the CCSrvCtrl.sys lock file was permanently present. This could cause
delays, but they were usually less than 0.2 sec and therefore below perception. This has been fixed.
- Multipart boundary not recognized
Some SAP systems do produce MIME headers where the boundary value is not nested in hyphens (as defined
by RFC). In addition to that other parameters are written in the same line. This combination prevented
a proper boundary detection. The detection has been improved to even see through this.
- Site-To-Site setup bug
The WebGUI-routine to extract data from HTTP did not work corectly in the site-to-site tab. Whenever a
value in the web form matched one of the parameter names, the value was discarded. This effectively prevented
the setup of site-to-site links with certain keys.