E2E Encryption Configuration
Configuration for the MindLink End-to-End Encryption (E2EE) system.
Management Center configuration
Encryption capabilities are backed by Security Contexts, so encryption key lifetimes are configured when setting these up. See the PowerShell New-MceSecurityContext cmdlet for details. Message encryption keys are created by chat participants in encrypted MCE groups. In the unlikely event that keys are compromised, the system requires that they be cycled periodically to limit exposure. While a smaller key lifetime will therefore represent a safer configuration, it comes at the cost of higher data-churn and time penalties for users. A sensible balance of concerns is recommended.
Maximum encryption key lifetime: The maximum lifetime MCE administrators can select when configuring a Security Context for encryption.
Default encryption key lifetime: If administrators do not specify a key lifetime when configuring a Security Context for encryption a default value is automatically applied.
- Server Address: The address of the certificate repository LDAP service.
- Port: The port of the certificate repository LDAP service.
- Certificate property name: The certificate property name that identifies the certificate data from the LDAP query response.
- Client certificate: The client certificate for authorizing LDAP queries.
Decryption services can be provided by an array of nodes. The MLA client will round-robin on this list to provide application-level load balancing.
- Service URLs: The list of decryption service endpoints.
Online Certificate Status Protocol services provide certificate revocation statuses in real-time. By enabling this feature, the client can make much faster determinations about the validity of certificate repository certificates.
Enable OCSP: Enables OCSP certificate revocation checks in the client.
Enable NONCE extension: The NONCE extension is an optional extension to the OCSP protocol that prevents certificate status replay attacks. For more information see: https://www.rfc-editor.org/rfc/rfc8954#section-3.
URL: The OCSP address.
Issuer Certificate Thumbprints: The list of CAs that issue certificate repository certificates. OCSP responses are digitally signed to guarantee their authenticity. By convention, MindLink expects the issuer CA to be configured in OCSP as the response signing certificate. The certificates configured in this list are sent to the client so that it can perform verification of OCSP responses.
Note: Issuer CAs must be installed into the Intermediate Certificate Authorities store of the Local Machine.
Advanced Configuration Custom Settings
Setting up E2EE first requires configuration of MCE: MCE Configuration.
|debug.connector.mce.multiplesecuritycontexts.enabled||true||[OPTIONAL] Whether to enable multi-CoI group creation. Note: This is off by default.|
|debug.connector.mce.enablebypass||true||[OPTIONAL] Whether to allow users to log in without being enabled in the MCE environment. Note: This is off by default.|
|debug.datalabelling.instantmessaging.disabled||true||[OPTIONAL] Whether to disable data labelling for instant messaging. Note: Data labelling is enabled by default.|
|debug.encryption.publickeyrepository.token.expirationtimeminutes||30||[OPTIONAL] The MLA client makes requests for COI public key certificates via the ML server. It obtains an a token to authorize this request. The token can be reused while it is valid to reduce the overhead of subsequent requests. Update this value to change the token expiration time. Note: This value defaults to 15 minutes.|
|debug.encryption.strict.enabled||true||[OPTIONAL] Whether to enable strict encryption policies. When enabled, Security Contexts can only be enabled for encryption if they have the backing PKI capabilities, and users will be required to enable encryption when creating MCE groups if the Security Contexts they've selected support it. Note: This is off by default.|