Certificate Validation

When a Microsoft Secure MIME (S/MIME) client sends or opens a secure message, the client performs several certificate validation steps. Crucial steps include certificate revocation checking, timestamp checking, and digital signature validation. Microsoft Outlook 2000 Internet Mail Only mode and Outlook Express 5.0 also perform an Internet Engineering Task Force (IETF) Request for Comments (RFC) 822 name check.

Outlook 2000 and Outlook Express 5.0 support certificate revocation list (CRL) distribution points. CDPs are new Windows 2000 (Win2K) Certificate Server certificate extensions that can provide automated certificate-revocation checking. The International Telecommunications Union Telecommunication Standardization Sector (ITU-T) defines CDPs in a subparagraph of the X.509 standard.

To use CDPs in Outlook Express 5.0, set Revocation Checking to Only when online in the Advanced Security Settings, as Screen A shows. Outlook 2000 can handle CDPs when you create the HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography\{7801ebd0-cf4b-11d0-851f-0060979387ea} registry key, add the PolicyFlags Registry value, and set it to 0x00010000.

A certificate’s lifetime is another crucial parameter that the client must validate. Certificates have limited lifespans. Verification software returns errors for expired certificates, as Screen B shows. Because of advances in computer technology, breaking asymmetric ciphers (e.g., 512-bit keys) has become easier. To cope with this problem, certificate-generation software can use longer signature keys (e.g., 1024 bits); if you want to change your key length every 2 years, which makes attacks more difficult, you’ll need to adapt the certificate lifetime accordingly.

You can use a trusted CA certificate’s public key to check a certificate’s digital signature. A valid outcome of this check confirms the integrity and authenticity of the certificate’s content. A certificate trust list (CTL) is a signed list of trusted CA certificates; the list resides on the client. Certificate trust means that a certificate is part of the CTL or that the CTL contains a trusted certificate from another CA that is part of the certificate’s certificate chain. Win2K domain administrators can use Group Policy Objects (GPOs) to set a CTL’s content. For more information on certificate-chain validation, see the Microsoft white paper "Windows 2000 Public Key Interoperability".

The RFC 822 name is a regular SMTP mail address (e.g., [email protected]). If the validation software discovers that a certificate’s RFC 822 name differs from the sender’s SMTP address, the software returns an error, thereby protecting against impersonation and man-in-the-middle (i.e., a malicious entity that reuses another entity’s identity) attacks.