Brochure [PDF]

Key Recovery

Links on this page:
   Overview
   How It Works
   Controls

Overview

PolicyAgent gives the system administrator control over most user-configurable settings within SecretAgent® and SpyProof!, ensuring that program usage conforms to a specific organizational security policy. Default settings for nearly all user interface elements and all functional aspects of the two programs may be specified and (optionally) locked against modification by the end-user. PolicyAgent also provides control over SecretAgent's optional key recovery capability.

PolicyAgent 5.7 for Windows may be used to generate security policies for use with SecretAgent 5.7 for Windows, Mac OS X, and UNIX (Java GUI only) as well as for SpyProof! 1.1/Windows.†

How It Works

PolicyAgent presents a series of configuration panels that let you specify your security policy settings. (You may also load an existing policy and reconfigure it.) The program then generates a digitally signed security policy file. Once installed on a system, the policy file acts by controlling the behavior of the SecretAgent, Certificate Explorer, and SpyProof! applications running on that system.

On Windows, if a security policy is present in the software distribution source directory during install, SecretAgent's Setup program will automatically install it. (SecretAgent for Windows Setup program may only be run by a user with administrator rights. Security policy settings are always digitally signed by a designated security officer, but on Windows NT4/2000 they are further protected by strict registry access controls.)

SecretAgent 5.7 for Windows can be configured by PolicyAgent to periodically poll a designated corporate server for (digitally signed) software updates and (digitally signed) security policy updates. This mechanism allows an enterprise to "push out" to their end-users software patches as well as updated policies (with, say, new trusted root certificates or new CRL distribution points) whenever the situation calls for it. Individual end-user machines need not be reconfigured individually and the update process is completely user-transparent.

†NOTE: Similar functionality is provided for the SecretAgent 5.7 command line utilities on all supported platforms using an OS-protected configuration file. Contact ISC for further details or sample configuration files.

What You Can Control

• which tokens and precisely which combinations of algorithms can be used for encryption and key generation
• whether users can generate their own self-signed certificates and use the self-signed certificates of others as recipients
• CA-specified key type/size requirements and target e-mail address for PKCS#10 certificate request generation and transmission
• default RDN values, validity periods, and usage extensions for the generation of (self-signed) certificates and PKCS#10 certificate requests
• the list of trusted root certificates and whether CRL checking of all recipient and signer certificates is mandatory
• the output format and algorithm options available to the user in the Encrypt dialog
• whether users can cache the passwords for their private key files (with or without a timeout period)
• the configuration of organizational LDAP queries
• the cryptographic actions to be audited (controls the creation of entries in the event log)
• the URL to be opened when a user selects the "Support on the Web" help menu item
• the local key recovery policy (determines whether key recovery is mandatory and, if so, specifies the certificates of individual and “shared-secret” groups of Key Recovery Agents)

As the following screenshot of the PolicyAgent panel for SecretAgent's Preferences dialog illustrates, default settings may be specified and optionally locked against user modification: