2

When opening an email that was signed with a certificate which is since expired, Outlook 2007 warns that the signature is "invalid or not trusted" (shown in German as "ungültig oder nicht vertrauenswürdig").

This is very misleading:

  • The signature is, in fact, correct
  • The certificate was valid when the message was signed

What was a transparent way of adding trust in the origin of the message for the recipient is now suggesting (at least at first glance) that the message is not trustworthy at all, when the only thing that has actually changed is the date on which the message is read!

Is there a way of changing this behaviour in Outlook without compromising the way signed messages are handled and displayed in general? - Or is there a good reason to handle it this way? I am aware that the date the signature was created could be forged, but that could always be the case: The signature is not a way to prove the date of a mail, only the origin!

I found this question about Outlook S/MIME certificate expiration, but sadly it's only slightly related.

Improve this question

1 Answer 1

Reset to default
2

Summary

To the best of my knowledge, there is no way to solve this, at least without severely breaking signature checking. Other mail clients behave similar to Outlook, although I think that there is no good reason for this behavior.

Details

I have looked over the GPO settings, but I found none that would fix this problem and leave everything else intact. There is a setting "Promote Level 2 errors as errors, not warnings" though; its description says that enabling the setting degrades some problems down to warnings that would otherwise be errors (in my opinion this description is the opposite of what the name suggests). The expiration issue is not in the example list of problems, but it might still work, as the problems there are much worse (like not finding the signing certificate at all). I didn't try this because of the vast extent of this setting, but it might be an option if you are really desperate ;-).

Outlook 2010 and 2013 also show this behavior, it seems to violate the RFCs, but Microsoft currently does not work on the issue: https://social.technet.microsoft.com/Forums/office/en-US/ec808b17-ee00-4717-9fc1-f877085dc34c/outlook-2010-signed-messages-are-falsely-marked-as-having-an-invalid-signature?forum=outlook

I can confirm that this is still reproducible in Outlook 2016.

In my tests, Thunderbird behaves identically to Outlook and even falsely says that the cause for the problem was "The certificate used to sign the message was issued by a certificate authority that you do not trust for issuing this kind of certificate." Thus, this seems to be a general problem.

See also this similar question on Information Security: https://security.stackexchange.com/questions/52254/reading-older-mails-signed-with-a-certificate-that-has-meanwhile-expired

Workaround

Get a new signing certificate long before your old one expires, like 6 months, and start using only the new certificate. This has the following benefit: When the old certificate expires, mails with seemingly invalid signatures are at least 6 months old. Your recipients hopefully only seldomly re-read mails that are 6 months old and older and therefore are less likely to run into the problem.

Improve this answer
1
  • 1
    Thanks for your feedback. I improved the answer's structure and hopefully it is now easier to get the message.
    – Froggy
    Commented Feb 26, 2018 at 8:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .