Intermediate Certiciate store automatically updates when working with smime RRS feed

  • General discussion

  • We noticed that the intermediate certificate store on Windows 7 clients will automatically add CA certificates in certain circumstances and would like to better understand this behavior. To explain the scenario:

    1. We deploy a VeriSign Root CA certificate to all clients via GPO

    2. A user is issued an s/mime cert from a brand new VeriSign Intermediate CA

    3. The user publishes their s/mime certificate to the GAL but clients don't trust it. For some reason the trust chain (when working with s/mime) requires the new Intermediate CA to be explicitly added to the Intermediate CA store. We've seen this before and deploy the needed Intermediate CA certificates via GPO.

    Here is the quirk which I need help to better understanding. Prior to publishing the new VeriSign Intermediate CA certificate via GPO, if the user with the new s/mime cert sends a signed message to a coworker and they reply to the message, the new Intermidate CA certificate will automatically install into the coworkers Intermediate certificate store.

    This behavior is unexpected and causes confusion because some folks can send encrypted email to the user, while other can't until either: 1. we deploy the new intermediate ca, or 2. the user sends them all a signed message.

    I'd like to understand why/how this automatically happens, whether there are any additional security implications, and if it’s possible to disable this behavior. Does this ONLY happened for intermediate CAs that come from an already Trusted Root CA? If not, then this seems like a potential security risk if simply exchanging an s/mime signed email can result in quietly updating someones certificate store.

    Any help is appreciated. I'm not sure if this is Outlook 2010 or CAPI, so I figured I'd hit up the security forum as you folks have helped a lot in the past regarding PKI questions.

    • Changed type Bruce-Liu Tuesday, March 20, 2012 7:27 AM
    Thursday, March 1, 2012 3:24 PM

All replies

  • Does this problem only occur with s/mime? If so, you may ask in exchange servr forum.

    Tuesday, March 6, 2012 4:26 PM