Best practice: Configuring BlackBerry Enterprise Solution options for S/MIME encryption

Best practice

Description

Encrypt messages with S/MIME encryption for a second time.

You can configure the BlackBerry® Enterprise Server to encrypt messages with S/MIME encryption for a second time when the BlackBerry Enterprise Server processes S/MIME-encrypted messages that are weakly encrypted or when S/MIME messages are signed but not encrypted. This option is designed to make sure that S/MIME-encrypted messages are strongly encrypted with S/MIME when a recipient receives the messages on a BlackBerry device.

To apply this best practice, you can use the Turn on S/MIME encryption on signed and weakly encrypted messages option in the BlackBerry Administration Service.

Permit a recipient who has an email application that does not have S/MIME encryption to read S/MIME-signed messages.

You can configure the BlackBerry Enterprise Server to process S/MIME-signed messages that a BlackBerry device sends so that a recipient with an email application that does not support S/MIME encryption can read the text of S/MIME-signed messages. The recipient can read the text of the messages but cannot verify the digital signature.

To apply this best practice, you can use the Send S/MIME Messages in Clear-Signed Format option in the BlackBerry Administration Service.

Conserve bandwidth over the wireless network.

To conserve bandwidth, you can configure the BlackBerry Enterprise Server to delete attachments from any S/MIME-signed messages that the BlackBerry Enterprise Server receives. The BlackBerry device cannot verify the S/MIME digital signature of a message after the BlackBerry Enterprise Server deletes the attachments from the message.

To apply this best practice, you can use the Remove Attachment Data from Signed S/MIME Messages option in the BlackBerry Administration Service.

Send S/MIME-encrypted messages using PKCS #7.

By default, the BlackBerry Enterprise Server sends S/MIME-encrypted messages using the legacy MIME content-type. You can configure the BlackBerry Enterprise Server to send S/MIME-encrypted messages using an updated MIME content-type that meets the requirements of the PKCS #7 specification instead. If the sender sends an S/MIME-encrypted message to a messaging server that does not support the MIME content-type used, the messaging server does not render the S/MIME-encrypted message correctly.

To apply this best practice, you can use the Use PKCS #7 MIME Type option in the BlackBerry Administration Service.

Prevent a sender from sending an S/MIME-encrypted message using a certificate that does not meet your organization's security policies.

Consider preventing a sender from sending an S/MIME-encrypted message using a certificate if any of the following situations exist:

  • BlackBerry device cannot verify the certificate
  • corresponding public key is weak
  • BlackBerry device does not trust the certificate
  • certificate is expired or revoked on the BlackBerry device
  • certificate status is expired

To apply this best practice, you can use the Disable Unverified Certificate Use IT policy rule, Disable Weak Certificate Use IT policy rule, Disable Untrusted Certificate Use IT policy rule, Disable Invalid Certificate Use IT policy rule, Disable Revoked Certificate Use IT policy rule, and Disable Stale Status Use IT policy rule.

Require a BlackBerry device to display a warning message when a certificate that is used to sign an email message does not meet your organization's security policies.

Consider the following guidelines:

  • Require that a BlackBerry device display a warning message when a recipient receives an S/MIME-signed message on the BlackBerry device and the email address of the sender does not appear in the certificate.
  • Require that a BlackBerry device display warning messages and indicators if a user chooses to send or receive an email message that is signed using a certificate that has an expired certificate status.

By default, the BlackBerry device applies this best practice. The default value for the Disable Certificate Email Address Checks IT policy rule and Disable Stale Certificate Status Checks IT policy rule is No.

Specify when the certificate status must expire on a BlackBerry device.

Consider configuring the certificate status to expire after a specified time. A BlackBerry device user can update the certificate status in the BlackBerry device key store or in the certificate synchronization tool of the BlackBerry® Desktop Manager. When the BlackBerry device uses the certificate, the BlackBerry device tries to refresh the certificate status automatically.

To apply this best practice, you can use the Certificate Status Maximum Expiry Time IT policy rule.

Prevent a recipient from accepting certificate revocation lists that are not verified.

Consider preventing a recipient from accepting certificate revocation lists that are not verified when the BlackBerry device checks the status of a certificate using the BlackBerry MDS Connection Service.

To apply this best practice, you can use the Disable Unverified CRLs IT policy rule.

Specify a list of trusted certificate thumbprints to prevent a user from adding certificates with thumbprints that are not included in the list to the BlackBerry device key store.

Consider configuring a semicolon-separated list of Hex-ASCII certificate thumbprints that are generated using either SHA-1 or MD5.

To apply this best practice, you can use the Trusted Certificate Thumbprints IT policy rule.

For more information about applying these best practices, see the BlackBerry Enterprise Server Administration Guide and BlackBerry Enterprise Server Policy Reference Guide.

Index


Was this information helpful? Send us your comments.