Key extraction
|
|
Key extraction works in the following way:
- When decrypting an email message on a policy route, the
- If an appropriate key or certificate is detected, it is extracted.
- The extracted key or certificate is added to the
Extracted keys and certificates can then be used for encryption and signature verification (although S/MIME certificates may have usage restrictions).
Tell me about...
-
Rules applying to all key extraction
The following table displays which keys are never extracted:
Key type Extracted? Expired keys No Private keys No Keys already in the No Notes
- Apart from valid sub-CA certificates, all other extracted certificates and keys are treated by default as unsafe to use when they are added to the certificate store.
- Unsafe certificates and keys are marked as disabled in the certificate store to prevent them from being used for encryption and signature verification.
-
You can use the Key Extraction default settings to choose whether extracted keys are automatically enabled for encryption when they are added to the certificate store.
-
Rules applying to PGP key extraction only
PGP key extraction is not compliant with FIPS and is unavailable if the The following table displays which PGP key types are extracted.
PGP key type Extracted? PGP key-ring files No PGP keys embedded within attachments No Private PGP keys No PGP keys in the body text or HTML of a message Yes PGP keys attached directly to a message Yes -
Rules applying to S/MIME key extraction only
The following table displays which S/MIME key types are extracted.
S/MIME key type Extracted? S/MIME keys within attachments No S/MIME keys within digital signatures Yes Private S/MIME keys No S/MIME keys in the body text or HTML of a message No S/MIME keys attached directly to a message Yes Notes
- When an S/MIME key is considered for extraction, the certificate chain is checked for completion. If the chain is not complete, the key and certificate chain are discarded.
- Extracted root CA keys are disabled by default.