mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
gecko-dev/security/psm/doc/release_notes.html

484 строки
22 KiB
HTML
Исходник Ответственный История

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.73 [en] (WinNT; U) [Netscape]">
<meta name="Author" content="Sean Cotter">
<title>Personal Security Manager Release Notes</title>
</head>
<body>
<center>
<h1>
<img SRC="bannerrn.gif" height=32 width=468 align=ABSCENTER></h1></center>
<center>
<h2>
Netscape Personal Security Manager</h2></center>
<center>
<h2>
Release 1.2</h2></center>
<center>
<h2>
8/3/2000</h2></center>
<center>
<hr WIDTH="100%"></center>
These release notes contain the most recent information about this release
of Netscape Personal Security Manager. Please read these notes before using
the software.
<p>These notes include information for IS professionals who are thoroughly
familiar with security and public-key infrastructure (PKI) issues.
<p>Use of this product is subject to the terms detailed in the license
agreement accompanying it (see <a href="license.txt">license.txt</a>).
<p>
<hr WIDTH="100%">
<h2>
Contents</h2>
<a href="#Documentation">Documentation</a>
<br><a href="#Changes Since PSM 1.1">Changes Since Personal Security Manager
1.1</a>
<br><a href="#Software/Hardware Requirements">Software/Hardware Requirements</a>
<br><a href="#unpacking">Installing Personal Security Manager</a>
<br><a href="#Using the Test Bed">Using Personal Security Manager</a>
<br><a href="#Known Bugs/Issues for 12 Release">Known Bugs/Issues for Personal
Security Manager 1.2</a>
<br><a href="#Feedback">Feedback</a>
<p>
<hr WIDTH="100%">
<h2>
<a NAME="Documentation"></a>Documentation</h2>
The following documentation is available with Personal Security Manager:
<ul>
<li>
<a href="contents.htm">Personal Security Manager Help</a> -- This online
help system can also be accessed by clicking the Help button in any personal
Security Manager window.</li>
<li>
<a href="cmcjavascriptapi.html">JavaScript API for Client Certificate Management</a>
-- This reference describes a new Javascript API for performing user certificate
management operations with Personal Security Manager, including one-click
issuance, forced certificate backup by end users, issuance of dual encryption
and signing email certificates, and automatic archival of encryption private
keys.</li>
</ul>
For the latest release notes, deployment guide, and other information,
see <a href="http://docs.iPlanet.com/docs/manuals/psm.html">http://docs.iPlanet.com/docs/manuals/psm.html</a><a href="http://developer.iPlanet.com/docs/manuals/psm.html">.</a>
<p>
<hr WIDTH="100%">
<h2>
<a NAME="Changes Since PSM 1.1"></a>Changes Since Personal Security Manager
1.1</h2>
The status of the following important features or bugs has changed since
the 1.1 release:
<ul>
<li>
This release makes it possible to view more details about each certificate,
including other certificates in the certificate chain. To use this feature,
click the Certificates tab in the Personal Security Manager window, select
the certificate you want to view, then click View. To see the next certificate
in the certificate chain, click the name labeled "Issued Under" in the
View Security Certificate window. To view the complete contents of the
certificate, click View More Info in the upper-right corner of the View
Security Certificate window.</li>
<li>
This release includes support for the Netscape 6 Password Manager. For
information about this feature, see <a href="http://home.netscape.com/eng/mozilla/ns6/relnotes/pv6-2.html">http://home.netscape.com/eng/mozilla/ns6/relnotes/pv6-2.html</a>.</li>
<li>
This release works with Netscape 6 or Communicator 4.7x (but not both at
the same time) on Windows 95/98/NT without requiring any changes to the
directory <tt>C:\Program Files\Common Files\Netscape Shared\Security\</tt>.
Earlier releases required an existing Security directory (created for the
Communicator 4.7x version of Personal Security Manager) to be renamed before
installing Netscape 6 (or PSM for Mozilla), and vice versa.</li>
</ul>
<hr WIDTH="100%">
<h4>
<a NAME="Software/Hardware Requirements"></a><font size=+2>Software/Hardware
Requirements</font></h4>
<b>Operating systems supported:</b> Windows NT, Windows 95, Windows 98;
Solaris 2.6, 2.7; and Linux 2.1 and 2.2.
<p><b>Other software requirements:</b>
<blockquote>
<li>
You must use Communicator 4.7 or later versions. Get the latest version
of Communicator from <a href="http://home.netscape.com">http://home.netscape.com</a>
before proceeding.</li>
<li>
If you are running Communicator 4.7, Personal Security Manager requires
that Communicator have JavaScript turned on. If you are running later versions
of Communicator, Personal Security Manager works regardless of whether
JavaScript is turned on.</li>
</blockquote>
<hr WIDTH="100%">
<h2>
<a NAME="unpacking"></a>Installing Personal Security Manager</h2>
<h3>
Installing on Windows 95/98/NT</h3>
To install Personal Security Manager on Windows 95/98/NT, save the file
in a convenient location with the specified filename, then drag the file's
icon into a Navigator window (that is, a browser window displayed by Communicator
4.7 or later). Dropping the file's icon over the browser window initiates
SmartUpdate, which automatically installs Personal Security Manager. After
installation is complete, exit Communicator and relaunch it. If your copy
of Communicator is installed in the default location, SmartUpdate installs
the Personal Security Manager files in the directory
<tt>C:\Program Files\Common
Files\Netscape Shared\Security\</tt> and adds the file <tt>cmnav.dll</tt>
in the directory <tt>C:\Program Files\Netscape\Communicator\Program</tt>.
<p><b>Windows NT users:</b> On Windows NT, you must have administrator
privileges to install Personal Security Manager using SmartUpdate.
<p><b>Mozilla and Netscape 6 users:</b> Personal Security Manager 1.2 works
on Windows with Mozilla, Netscape 6, and Communicator--but not when any
of these browsers are running at the same time. For example, you must exit
Netscape 6 before launching Communicator with Personal Security Manager
1.2 enabled.
<h3>
Installing on Unix</h3>
Before you install Personal Security Manager on Unix, you must be logged
in as the same Unix user you will be logged in as when you run Communicator.
For the Unix installation to succeed, you must have write privileges for
both the directory where the Netscape executable resides and the directory
where the installation script creates the directory containing the Personal
Security Manager files.
<p>To install Personal Security Manager on Unix, download the tar file
for the version of the product that you want to install and follow these
steps:
<ol>
<li>
Exit Communicator, if it is running.</li>
<li>
Decompress the downloaded file to some convenient location.</li>
<li>
Run the <tt>psm-install</tt> program.</li>
</ol>
The <tt>psm-install</tt> program allows you to specify the directory in
which Personal Security Manager will be installed. In this release, you
must install Personal Security Manager locally. To do so, you can either
install it in the default location (<tt>/opt/netscape/security</tt>) or
in some other local location. However, if you install Personal Security
Manager anywhere other than the default location, Communicator must also
be installed locally.
<p>To run Personal Security Manager on Unix, you must be logged in as the
same Unix user you were logged in as when you installed it.
<h3>
Disabling Personal Security Manager</h3>
To <b>disable</b> Personal Security Manager temporarily, simply rename
the file <tt>cmnav.dll</tt> (in the Netscape program directory on Windows
95/98/NT, or the directory in which your Netscape executable resides on
Unix) to some other name, such as <tt>cmnav.txt</tt>. On Unix, you can
also rename the file <tt>cmnav.so</tt> to some other name to disable Personal
Security Manager.
<p>
<hr WIDTH="100%">
<h2>
<a NAME="Using the Test Bed"></a>Using Personal Security Manager</h2>
The sections that follow describe how to test some of the features of Personal
Security Manager that are available with this release:
<ul>
<li>
<a href="#Start Up Personal Security Manager with">Start Up Personal Security
Manager with Communicator</a></li>
<li>
<a href="#Use SSL with Server Authentication">Test Basic SSL</a></li>
<li>
<a href="#Get a Certificate">Get an SSL Client Certificate</a></li>
<li>
<a href="#View Your Personal Certificate">View Your Certificate</a></li>
<li>
<a href="#Using Your Personal Certificate for Client">Test Client Authentication</a></li>
<li>
<a href="#Request and Use Separate Signing and Encryption">Request and
Use Separate Signing and Encryption Certificates ("Dual Key-Pair Certificates")</a></li>
<li>
<a href="#Validate Certificates Using OSCP">Validate Certificates Using
OCSP</a></li>
<li>
<a href="#Fetch Certificates Automatically from a Directory">Fetch Certificates
Automatically from a Directory</a></li>
</ul>
The sections that follow briefly describe how to test some of the features
listed above.
<p>For information on the JavaScript API supported by Personal Security
Manager, see <a href="cmcjavascriptapi.html">JavaScript API for Client
Certificate Management</a> and the Personal Security Manager Deployment
Guide. For the latest versions of these documents, see <a href="http://docs.iPlanet.com/docs/manuals/psm.html">http://docs.iPlanet.com/docs/manuals/psm.html</a>.
<h3>
<a NAME="Start Up Personal Security Manager with"></a>Start Up Personal
Security Manager with Communicator</h3>
Follow these steps to start Personal Security Manager with Communicator.
<ol>
<li>
Launch Communicator. Personal Security Manager will silently load in the
background.</li>
<li>
Go to the page <a href="psmtest.html">psmtest.html</a> (in the same directory
as these release notes), then choose Page Source from the View menu to
see the JavaScript code that a web programmer can use to detect Personal
Security Manager and its version number.</li>
</ol>
Note that the version number has two parts. The first is the version of
the PSM client library, and the second is the version of the PSM server
library.
<h3>
<a NAME="Use SSL with Server Authentication"></a>Test Basic SSL</h3>
Go to any online store, banking service, brokerage account, or other web
site that supports SSL. Verify that the lock in the lower-left corner of
the browser window is closed when you reach the pages for which SSL should
be enabled, for example a page where you are asked to give your credit
card number.
<h3>
<a NAME="Get a Certificate"></a>Get an SSL Client Certificate</h3>
Go to any public or private CA and apply for an SSL client certificate.
<p>To test one-click certificate issuance, dual key-pair certificates,
and other Personal Security Manager features, system administrators should
download, install, and configure Netscape Certificate Management System.
For complete CMS documentation and other information, see <a href="http://docs.iPlanet.com/docs/manuals/cms.html">http://docs.iPlanet.com/docs/manuals/cms.html</a>.
To download the latest version of CMS, see <a href="http://www.iplanet.com/downloads/download/">http://www.iplanet.com/downloads/download/</a>.
<h3>
<a NAME="View Your Personal Certificate"></a>View Your Certificate</h3>
After you have obtained a certificate, follow these steps to view it:
<ol>
<li>
Click the Security icon in the Navigator toolbar.</li>
<li>
Click the Certificates tab.</li>
<li>
Click to select your certificate.</li>
<li>
Click View.</li>
</ol>
You should see information about your new certificate.
<h3>
<a NAME="Using Your Personal Certificate for Client"></a><font size=+1>Test
Client Authentication</font></h3>
Personal Security Manager allows the SSL server and client to negotiate
which certificate to use, and in most cases they can agree on a single
correct certificate for the client to present. When this happens, the user
can access an SSL site that requires client authentication with zero additional
clicks.
<p>To test client authentication with Netscape Enterprise Server, system
administrators should follow these steps:
<ul>
<li>
Install an Enterprise Server and configure it for client authentication
as described in <a href="http://docs.iplanet.com/docs/manuals/cms/41/dep_gide/entsrv.htm">Appendix
D, Using SSL with Enterprise Server 3.x</a>, of <i>Netscape Certificate
Management System Installation and Deployment Guide</i>.</li>
<li>
Test the Enterprise Server installation as described at the end of Appendix
D using Personal Security Manager.</li>
</ul>
<h3>
<a NAME="Request and Use Separate Signing and Encryption"></a>Request and
Use Separate Signing and Encryption Certificates ("Dual Key-Pair Certificates")</h3>
Separate signing and encryption certificates, sometimes called "dual key-pair
certificates," are specialized certificates used only with S/MIME. The
term "dual key pair" refers to the fact that two public-private key pairs--four
keys altogether--correspond to two separate certificates. The private key
of one pair is used for email signing operations, and the public and private
keys of the other pair are used for email encryption and decryption operations.
Each pair corresponds to a separate certificate.
<p>In the past, Communicator has supported the signing and encryption functions
for S/MIME with a single, combined signing and encryption certificate.
<p>This version of Personal Security Manager allows you to request dual
key-pair certificates from a single, specially configured enrollment page
provided by Netscape Certificate Management System. The resulting certificates
are combined under a single nickname in the Certificates/Mine panel displayed
by Personal Security Manager. (To see this panel after Personal Security
Manager is installed, click the Security button in the Communicator toolbar,
then click the Certificates tab.) When you select a nickname that represents
a pair of related signing and encryption certificates, then click View
or other buttons that act on the selection, a dialog box allows you to
select which certificate you want to act on.
<p>For instructions on configuring Certificate Management System to issue
dual key-pair certificates and to archive the private encryption key, see
<a href="http://home.netscape.com/eng/server/cms/41/adm_gide/kycrt_ee.htm#1067601">Chapter
25, Recovering Encrypted Data</a>, in <i>Netscape Certificate Management
System Administrator's Guide.</i>
<p>Once you have obtained your dual key-pair certificates, you can use
them with Personal Security Manager to sign and encrypt email. You can
also back them up and import them using buttons in the Certificates/Mine
panel, and set the certificate you want to use for signing in the Applications/Messenger
panel.
<h3>
<a NAME="Validate Certificates Using OSCP"></a>Validate Certificates Using
OSCP</h3>
Personal Security Manager supports the use of the On-Line Certificate Status
Protocol (OSCP) to check the validity of certificates in real time. Information
about this protocol and how configure Personal Security Manager 1.2 and
a forthcoming version of Certificate Management System to support it will
be available from <a href="http://docs.iPlanet.com/docs/manuals/psm.html">http://docs.iPlanet.com/docs/manuals/psm.html</a>.
<p>It's important to note that Personal Security Manager will accept signatures
from responders only under the following conditions:
<ul>
<li>
The response was signed by a delegated responder--that is, the responder's
certificate was signed by the same CA as the certificate&nbsp; you're trying
to verify and has the <tt>extendedKeyUsage</tt> bit set indicating that
the certificate is an OCSP response signer. The certificate should be the
same as a CA certificate with the addition of the <tt>extendedKeyUsage</tt>
bit.</li>
<li>
The user has designated a default responder in the OCSP Settings dialog
box (available from the Advanced tab under Options).</li>
</ul>
Common problems include the following:
<ul>
<li>
Time drift between the client and server machine. Personal Security Manager
expects the time of the response to be within the past 24 hours. If there
is a difference in the clocks between the machine used to sign the response,
so the response looks to Personal Security Manager like it was signed in
the future, Personal Security Manager interprets this as an error. Run
ntp on both machines to fix this problem.</li>
<li>
The response doesn't include the certificates required to complete the
chain needed to verify the signer's certificate. The client frequently
doesn't have all the certificates in the database that are needed to verify
the signer's certificate, in which case Personal Security Manager can't
verify the signer's certificate and OCSP fails. Make sure the entire chain
is included with every response. This is the safest way to avoid this problem.</li>
<li>
If you are using ValiCert, misconfiguration may cause the Validation Authority
not to send the certificate chain (including the CA root certificate and
the OCSP responder's certificate) correctly.</li>
</ul>
<h3>
<a NAME="Fetch Certificates Automatically from a Directory"></a>Fetch Certificates
Automatically from a Directory</h3>
Personal Security Manager can search a specified directory for the certificate
associated with an email address. This search is performed automatically
when you send a message (but note that it doesn't work over SSL in this
release; see <a href="#Known Bugs/Issues for 12 Release">Known Bugs/Issues
for 1.2 Release</a>).
<p>To activate this feature, you must specify a directory server to search.
To do so, choose Preferences from the File menu in Communicator, then click
Addressing under Mail &amp; Newsgroups. In the right panel, click Directory
Server under Pinpoint Addressing, select the directory you want to use
from the drop-down menu, and click OK. Personal Security Manager uses this
directory for automatic certificate lookups when you send an encrypted
email message.
<p>If the directory you want doesn't show up in the drop-down menu under
Pinpoint Addressing, you can add it to your list of directories using the
Communicator Address Book. To do so, choose Address Book from the Communicator
menu, then choose New Directory from the File menu. You must then add information
about the directory you want to add. Once the directory has been added
to the Address book, you can specify it in your preferences as described
above.
<p>
<hr WIDTH="100%">
<h2>
<a NAME="Known Bugs/Issues for 12 Release"></a>Known Bugs/Issues for Personal
Security Manager 1.2</h2>
<ul>
<li>
FORTEZZA is not guaranteed to work with this release. [# 94220]</li>
<li>
LDAP over SSL does not work for address book lookups, pinpoint addressing,
or automatic certificate fetching. That is, if you choose Address Book
from the Communicator menu, select a directory in the left frame, and click
the Properties button, the checkbox labeled Secure must not be selected.
If Secure is selected, address book lookups for that directory will not
work. Similarly, if the same Secure checkbox is selected for a directory
that is also specified for pinpoint addressing, pinpoint addressing and
automatic certificate lookups won't work. To view pinpoint addressing settings,
choose Preferences from the Edit menu in Communicator and select Addressing
under Mail &amp; Newsgroups. [# 364811]</li>
<li>
Secure proxy does not work with this release when it is running with Communicator
4.72 or earlier versions. [# 362464] (Secure proxy does work with this
release when it is running with Communicator 4.73 and later versions.)
HTTP proxy works with Communicator 4.72 or earlier versions, but you must
configure Communicator preferences as follows:</li>
<ul>
<li>
Choose Preferences from the Edit menu, then click the plus sign beside
Advanced, then click Proxies.</li>
<li>
In the Proxies panel, click "Manual proxy configuration." You must configure
the proxy manually.</li>
<li>
Click View to see the proxy configurations.</li>
<li>
In the Manual Proxy Configuration dialog box, enter the hostname for the
HTTP proxy you want to use in the field labeled HTTP, and the port number
in the corresponding port field. Then, enter <tt>127.0.0.1</tt> in the
field at the bottom labeled "Exceptions/Do not use proxy servers for domains
beginning with:" (plus other names of other hosts, if necessary, that you
don't want to use a proxy server to reach). This number identifies the
local host, which cannot use a proxy server (or else Personal Security
Manager won't work). Do not enter anything in the field labeled "Security."</li>
</ul>
<li>
In some unusual circumstances you may encounter problems such as valid
certificates not being verified or Communicator freezing up. If you encounter
a problem that doesn't appear to have a logical explanation, try the following
as a last resort:</li>
<ol>
<li>
Exit Communicator, then relaunch it. If necessary, use Control-Alt-Delete
on Windows 95/98/NT to bring up the Task Manager and click End Process
for both <tt>psm.exe</tt> and <tt>netscape.exe</tt>.</li>
<li>
<b>Warning:</b> <b>Before taking this step, back up your own certificates
stored internally by Personal Security Manager.</b> If exiting and relaunching
Communicator doesn't take care of the problem, in some rare cases it may
work to exit Communicator, then delete or rename your <tt>cert7.db</tt>
and <tt>key3.db</tt> files (located in your user profile directory on Windows
95/98/NT, or in the directory in which the Netscape executable resides
on Unix) and relaunch the Communicator. You should also look for all other
files in the same directory that begin with <tt>cert</tt> or <tt>key</tt>
and end in <tt>.db</tt> and delete those files as well before relaunching
Communicator.</li>
</ol>
</ul>
<hr WIDTH="100%">
<h2>
<a NAME="Feedback"></a>Feedback</h2>
To send feedback to the Personal Security Manager development team, send
email to <a href="mailto:psmfeedback@netscape.com">psmfeedback@netscape.com</a>.
Feedback back sent to this address will be read by the team, but you will
not receive a personal response.
</body>
</html>
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку