Summary of Recent Code Changes in SecretAgent® for Windows

This page summarizes the product enhancements and bug fixes that have been applied to SecretAgent 5.7 leading to the release of version 5.9.4 on the Windows platform.

Improvements and bug fixes in SecretAgent 5.9.4

  • the key generation wizard now instructs users to backup their keys
  • macros for Microsoft Office now have a 'Decrypt and Open' option
  • added support for mail extensions to perform LDAP queries
  • added support for new security policy settings:
    • enabling/disabling the FIPS 181 password generators
    • activate LDAP queries within mail extensions
    • control over default archive format
  • apostrophes in a users' Windows logon names no longer cause problems
  • problems with execution on Windows NT 4.0 have been fixed
  • failures during CMS decrypt/verify operations no longer result in the SA5API message "Illegal operation peformed"

Improvements and bug fixes in SecretAgent 5.9.3

  • MSVCR71.DLL is now included when installing Entrust support
  • Added new security policy controls for:
    • display of Advanced Encryption dialog
    • choice of single/multiple/self-decrypting output formats
    • automatic closing of the progress dialog
    • 'delete ciphertext files'
    • setting and enforcing Entrust as the default source of private keys
  • Certificates imported during the 'Save As Group' operation are now properly marked as end-user certificates
  • CAPI smartcard-based profiles can now be used to encrypt or verify without the token being present; the token is only required for private key operations
  • Decryption and signing now work properly for PKCS#11 tokens even when the chosen certificate lacks an appropriate key usage extension
  • Improved zapping:
    • now works on folders
    • filenames are more securely wiped by renaming 26 times
  • Corrected CMS OIDs for AES-192/-256 encryption

Enhancements and bug fixes in SecretAgent 5.9.2

  • Improved audit trail generation:
    • events are now logged to the Windows Event Log as well as to the traditional SecretAgent log file
    • the Windows Event Log entries contain user, domain/workgroup, and computer names
    • log entry text has been modified to more clearly indicate the success or failure status of each operation
    • mapped drive letters are converted to UNC network paths in log entries
    • the signer's DN is now logged for all signature verification events and subject DNs are logged for all 'replace recipient' operations
    • CMS verify operations are now properly logged as such (rather than as decrypt operations)
    • the following additional operations are now logged:
      • startup and profile change
      • key generation
      • correct password entry
      • zapping free space
      • master password reset
      • master password recovery
      • private key delete, import, export, and move from CAPI
      • personal certificate store location change
      • CRL update and deletion
  • Added support for "certificates-only PKCS#7 PDUs" retrieved via URLs found in the Authority Information Access certificate extension (which should help in the Federal Bridge environment).
  • Keyboard shortcuts have been added to the user password recovery question/answer dialog and users can no longer cancel out of it.
  • The user is now prompted for an export password when saving their private key during the key generation process.
  • Export passwords must now adhere to the installed security policy's password quality requirements.
  • When an incorrect private key password is entered, SecretAgent will sleep for a specified period before allowing a user to enter their password again; the delay increases exponentially, from several milliseconds up to a maximum of 60 seconds, with each successive incorrect password entry.
  • Password caching now works with the 'replace recipients' function (and certain critical errors that may have occurred during the execution of that operation have been eliminated).
  • Permanent master password caching has been re-enabled.
  • Security policies that disable one, but not all, password caching options no longer gray out all options in the profile preferences' password page.

Enhancements and changes in SecretAgent 5.9.1

  • Improved Entrust support. The 'Entrust' token now supports Entrust certificate validation; the Entrust Personal Address Book, Groups, and Directory are now searchable in the encryption dialog.

    NOTE: Entrust support requires the following Entrust runtime libraries: entapi32.dll, enterr.dll, and etfile32.dll (Entrust Authority PKCS#7 Toolkit for C 6.0 SP4 patch 96312 or higher).

  • Modified the LDAP Group functionality to work better with some Exchange 5.5 servers. The search filter for certificate retrieval was changed to 'cn=*'.
  • Modified the PKCS#11 token to additionally search for the private key matching a particular certificate using the certificate itself, not just its CKA_ID flag.
  • When choosing Zap in the Plaintext Disposition dialog, the Zap prompt and progress window are forced to the front of your desktop.
  • Bug fix: a DAS error message window is no longer used for every standard error that occurs after a DAS error.
  • A Space has been inserted between time and reason data on the CRL Properties dialog.

Enhancements in SecretAgent 5.9.0

  • Added support for server-mediated decryption of documents encrypted for communities of interest; requires network access to a properly configured SecretAgent Document Access Servlet (DAS)
  • Enhanced Entrust support: SecretAgent can now use Entrust profiles for private key operations. To install Entrust support, select "Custom" during the installation process and check the "Entrust" box. You must also have a license for the Entrust File Toolkit and place the following files in your SecretAgent installation folder (please contact Entrust directly to obtain these files):
    • entapi32.dll
      enterr.dll
      etfile32.dll

  • The Advanced Encryption dialog now allows you to remove entries from the list of files to be encrypted: click the paper clip icon and delete the files you no longer want to be included in the archive.
  • Re-addressing encrypted archives: any designated recipient can remove the current recipient list and replace it with a new list -- without having to decrypt the archive!
  • Plaintext disposition dialog: when you close the Decryption Progress dialog, a new dialog will appear asking you what to do with the plaintext files that were just created. You may choose to re-encrypt, zap, or keep them.
  • Recipient selection dialog changes:
    • the 'Add All' button has been relabeled ''Add Group'
    • a list of recipients can be saved as a group for future use
  • When exporting a certificate chain from Certificate Explorer, if more than one path is discovered for the end-user certificate, the first valid path is exported and invalid paths are ignored.
  • Naming convention for output files changed: .sa5 is simply appended to the input filename without placing braces around the original filename extension. Thus 'test.doc.sa5' will be suggested rather than 'test[doc].sa5'. (This change has implications for administrators creating policy and software update files as the filenames must now match the new naming convention.)
  • The Microsoft Office macros have been updated to work with the new file naming convention.
  • Clipboard encryption now uses the Windows TEMP folder (rather than the APPDATA folder) for temporary files.

Bug fixes in SecretAgent 5.9.0

  • If PolicyAgent prohibits private key export, private keys associated with certificate requests can no longer be exported.
  • A work-around for certain configurations of Safenet's iKey token has been made to SecretAgent's Microsoft CAPI token.
  • DSA certificates created with SecretAgent 5.0-5.5 once again work with this release.
  • Importing a PKCS#12 file and associating its private key with a profile no longer causes an error message to appear.

Changes and bug fixes in SecretAgent 5.8.4

  • Valid profile names are now generated during profile creation even when the user fails to select a signing certificate
  • CAPI usage has been improved:
    • certificate chains are now included when e-mailing or exporting certificates
    • fixed support for hardware tokens that cannot handle 256-bit session keys so that ciphers with smaller key sizes can be used
    • added CRL checking to CAPI path validation
    • path validation now works with base64-encoded certificates in Certificate Explorer
  • Certificate Explorer improvements:
    • added ability to import base64-encoded PKCS#8 (.prv) files
    • certificate replacement is no longer allowed during import; old certificates must be explicitly deleted (this guards against users inadvertently overwriting a certificate required to decrypt CMS archives or to mount SpyProof! disks)
    • the target profile list is now restricted to PKCS#11 profiles when importing certificates from a PKCS#11 token
    • receiving an error page in response to an attempt to retrieve a CRL via a URL now results in an error message stating that the URL is invalid
    • gracefully handles a failure to create a personal certificates database during initial startup
  • Users can no longer initiate auto-encrypting during auto-decryption
  • .saa files are now treated the same way as .sa5 files


Changes and bug fixes in SecretAgent 5.8.3

  • Multiple private keys can now be imported from a single PKCS#12 file.
  • Name constraint violations are now detected in a self-issued certificate which is the end-entity (in compliance with NIST PKITS test 4.13.20).
  • Correct user notice qualifiers are now displayed (in compliance with NIST PKITS test 4.10.13 and 4.10.14).
  • Importing, or accessing via a URL, a zero-byte CRL no longer causes an exception.
  • Outlook 2000 no longer crashes during certificate validation when composing and sending, or validating, a SecretAgent message with a non-self-signed certificate.

Changes and bug fixes in SecretAgent 5.8.2

  • A Certificate Explorer database containing certificates with previously unsupported subject RDNs (those that earlier software releases rendered as Unknown=) can be "updated" to correct certificate validation errors due to mismatched DNs. After upgrading from 5.8.1 to 5.8.2, a user must change their master password to trigger the database update process. When upgrading from 5.7.X to 5.8.2, establishment of a master password automatically updates the database.
  • Mutliple files may now be cut or copied using the context menu in SecretAgent's Explorer view.
  • A common name containing a comma no longer gives rise to a truncated profile name terminated with a backslash.
  • The upgrade setup program now says it is updating to 5.8 rather than 5.7.1.
  • The Profile Preferences dialog's Policy tab now displays detailed information for an OCSP server certificate specified in the active security policy and displays a textual description of the start-up view setting.
  • The Profile Manager's Help Online button opens the 5.8, rather than the 5.7, support pages.
  • Path validation with security policies containing CRL URLs and involving CRLs containing authority key identifiers no longer causes a stack overflow.
  • A "COM Server Warning" message no longer appears when using a profile configured to close progress dialogs on success and to close SecretAgent when started from the Explorer context menu.
  • PolicyAgent's start-up view setting no longer causes SecretAgent to enter the toolbar view when the system tray view is selected and vice-versa.

New features and changes in SecretAgent 5.8.1

  • All private key storage modules (except the FORTEZZA one) now provide automated private key history management. Regardless of the encryption certificate associated with the user's active profile, the software will find and use the appropriate private key in the selected module when decrypting.
  • All private keys stored in a user's personal certificate database are now protected with a single master password. Optional challenge/response or administrative password recovery features have been added.
  • In the absence of a security policy, the minimum password length is now 1 instead of 8, and passwords are no longer required to contain characters. A security policy can be used to enforce stricter password requirements.
  • Added an integrated OCSP client supporting a single OCSP responder.
  • SecretAgent's certificate path validation module (PVM) is now a 'Bridge-enabled PVM' in compliance with NIST's Draft Special Publication for X.509 Path Validation Version 0.5. SecretAgent's path building routines and validation routines support CRL distribution points, Authority Information Access, and OCSP when a security policy allowing the use of these features is installed. This means that CA certificates and CRLs can be retrieved, when necessary, via URLs in AIA extensions and via CRL DPs.
  • Optional CAPI path validation is now supported for every private key storage module except FORTEZZA. Use of CAPI for path validation can be configured by a security policy.
  • Reorganized and simplified profile creation wizard.
  • Added support for 'UserSMIMECertificate' attributes in LDAP and Active Directory queries.
  • Added an advanced option to delete ciphertext files after they are decrypted.
  • Added the ability to move files to an alternate directory on the same target drive from within the Progress dialog.
  • Progress dialog output has been reordered to place error messages at the top.
  • An item has been added to the View menu to allow the user to toggle on and off various components of Explorer View.
  • Added an 'E-mail My Certificate' item to the Tools menu to ease certificate exchange between users.
  • Parameterized LDAP queries no longer allow the user to specify "begins with," "ends with," or "contains" clauses. Rather, the complete query must be entered with asterisks in appropriate locations. On the Encryption dialog a pop up box no longer appears when accessing one of these queries. An edit box with instructions becomes active in the upper left corner of the dialog so that users may more easily enter multiple successive queries.
  • Added a 'Create Certificate Group' item to the Certificates menu in Certificate Explorer to make it obvious how to create groups of recipient certificates.
  • Certificate Explorer's import wizard now supports multiple selection so that several certificates can be imported at a time.
Current release:
  • {version}