Initial check in PSM docs
This commit is contained in:
Родитель
5450e7fb31
Коммит
329c58dc06
|
@ -0,0 +1,502 @@
|
||||||
|
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
|
||||||
|
<meta name="GENERATOR" content="Mozilla/4.7 [en] (WinNT; U) [Netscape]">
|
||||||
|
<title>Javascript API for Client Certificate Management</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<table WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<h1>
|
||||||
|
<font face="Arial,Helvetica">Personal Security Manager 1.0</font></h1>
|
||||||
|
|
||||||
|
<h2>
|
||||||
|
<font face="Arial,Helvetica">JavaScript API for Client Certificate Management</font></h2>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
Version 0.3 - 10/27/1999
|
||||||
|
<br>Comments to: <a href="mailto:psmfeedback@netscape.com?subject=JavaScript%20API%20Feedback">psmfeedback@netscape.com</a>
|
||||||
|
<p>This document describes a new JavaScript API for performing user certificate
|
||||||
|
management operations within a client. The JavaScript runs in the context
|
||||||
|
of a web page operated by a Certificate Authority (CA) or Registration
|
||||||
|
Authority (RA). The API allows the CA or RA to instruct the client to perform
|
||||||
|
PKI operations such as key generation, certificate request generation,
|
||||||
|
key escrow, import of user certificates, key recovery, and revocation requests.
|
||||||
|
<p>These properties and methods reflect behavior currently implemented
|
||||||
|
in Personal Security Manager 1.0.
|
||||||
|
<p>The messages imported by or generated by these JavaScript methods are
|
||||||
|
defined in the CRMF, CMMF, and CMC internet drafts.
|
||||||
|
<h2>
|
||||||
|
<font face="Arial,Helvetica">Overview of New Cert Issuing Process</font></h2>
|
||||||
|
|
||||||
|
<ol>
|
||||||
|
<li>
|
||||||
|
User fills out enrollment form</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
User action initiates script</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
Script calls key generation method</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
Signing and Encryption keys are generated</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
Encryption Private Key is wrapped with public key of Key Recovery Authority
|
||||||
|
(KRA) (passed in in the form of a certificate as part of the script, and
|
||||||
|
checked against a pre-installed certificate copy in the local certificate
|
||||||
|
database)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
The public keys, wrapped encryption private key, and text string from the
|
||||||
|
script (possibly containing naming or enrollment info) are signed by the
|
||||||
|
user</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
Signed blob is returned to the script</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
Script submits signed blob and any other necessary info to the CA/RA</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CA/RA verifies signature on signed blob</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CA/RA validates identity of user</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CA/RA sends wrapped encryption private key to KRA</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
KRA sends escrow verification back to CA</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CA creates and signs certificates</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
CA sends certificates back to Communicator</li>
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<h2>
|
||||||
|
<font face="Arial,Helvetica">JavaScript API</font></h2>
|
||||||
|
|
||||||
|
<h3>
|
||||||
|
<font face="Arial,Helvetica">Properties</font></h3>
|
||||||
|
<tt>crypto.algorithms.dh.keySizes</tt>
|
||||||
|
<br><tt>crypto.algorithms.dsa.keySizes</tt>
|
||||||
|
<br><tt>crypto.algorithms.rsa.signing.keySizes</tt>
|
||||||
|
<br><tt>crypto.algorithms.rsa.keyEx.keySizes</tt>
|
||||||
|
<p><tt>keySizes</tt> is an an array that describes the available key sizes
|
||||||
|
for the particular algorithms and operations.
|
||||||
|
<p>The table below describes the key sizes that will be supported in the
|
||||||
|
US and Export versions of Communicator.
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER><b>Algorithm</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>US Version Key Sizes</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Export Version Key Sizes</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>DSA Signing Only</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>RSA Signing Only</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>RSA Encryption Only</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
|
||||||
|
<td>512,1024</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>RSA Dual Use Signing And Encryption</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
|
||||||
|
<td>512,1024</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>DH Key Exchange</td>
|
||||||
|
|
||||||
|
<td>1024, 2048</td>
|
||||||
|
|
||||||
|
<td>512,1024</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<h3>
|
||||||
|
<font face="Arial,Helvetica">Methods</font></h3>
|
||||||
|
|
||||||
|
<h4>
|
||||||
|
<font face="Arial,Helvetica">generateCRMFRequest()</font></h4>
|
||||||
|
<tt>crmfObject = crypto.generateCRMFRequest(<i>"requestedDN", "regToken",
|
||||||
|
"authenticator","escrowAuthorityCert", "KeyGen Done Code",keySize1, "keyParams1",
|
||||||
|
"keyGenAlg1",..., keySizeN, "keyParamsN", "keyGenAlgN");</i></tt>
|
||||||
|
<p>This method will generate a sequence of CRMF requests that has N requests.
|
||||||
|
One request for each key pair that is generated. The first three
|
||||||
|
parameters will be applied to every request. the "escrowAuthorityCert"
|
||||||
|
parameter will only be used for requests that pertain to a key that is
|
||||||
|
being escrowed. After the "escrowAuthorityCert" parameter, the method
|
||||||
|
takes some JavaScript code that is invoked when the CRMF request
|
||||||
|
is ready. Finally, there are 1 or more sets of key generation arguments.
|
||||||
|
Each key generation will be associated with its own request. All
|
||||||
|
the requests will have the same DN.
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER VALIGN=TOP><b>Argument</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Description</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><i><tt>"requestedDN"</tt></i></td>
|
||||||
|
|
||||||
|
<td>An RFC1485 formatted DN to include in the certificate request.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><i><tt>"regToken"</tt></i></td>
|
||||||
|
|
||||||
|
<td>A value used to authenticate the user to the RA/CA.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><i><tt>"authenticator"</tt></i></td>
|
||||||
|
|
||||||
|
<td>A value that the user can authenticate with in the future when their
|
||||||
|
private key is not available. Can be used for key recovery or revocation
|
||||||
|
requests.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><i><tt>"escrowAuthorityCert"</tt></i></td>
|
||||||
|
|
||||||
|
<td>If this value is NULL, then no key escrow will be performed. This value
|
||||||
|
specifies which KRA certificate should be used to wrap the private key
|
||||||
|
being escrowed. The user will be prompted for confirmation whenever a key
|
||||||
|
will be escrowed. Only key exchange keys will be escrowed. If a dual
|
||||||
|
use key is being generated, it will not be escrowed. The value of
|
||||||
|
this argument is a base-64 encoded certificate.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><i><tt>"CRMF Generation Done Code"</tt></i></td>
|
||||||
|
|
||||||
|
<td>This parameter is JavaScript to execute when the CRMF generation is
|
||||||
|
complete. </td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td VALIGN=TOP><i><tt>keySizeN</tt></i></td>
|
||||||
|
|
||||||
|
<td>The size in bits of the Nth key to generate</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td VALIGN=TOP><i><tt>"keyParamsN"</tt></i></td>
|
||||||
|
|
||||||
|
<td>This string is an optional algorithm dependent parameter value. For
|
||||||
|
Diffie-Hellman it is used to specify p and g parameters. For DSA,
|
||||||
|
it will be used to specify pqg. If the key generation requires parameters
|
||||||
|
and the value passed in is NULL, then the client will generate the parameters
|
||||||
|
on its own. Currently, this value is ignored.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td VALIGN=TOP><i><tt>"keyGenAlgN"</tt></i></td>
|
||||||
|
|
||||||
|
<td>Which algorithm the generated key will support. Acceptable values are
|
||||||
|
(the mentioned values for keyUsage pertain to the keyUsage value of the
|
||||||
|
Certificate Extension that will ultimately be in the issued certificate):
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
"rsa-ex" - generate an RSA key for key exchange only (This will have keyEncipherment
|
||||||
|
set for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"rsa-dual-use" - generate a single RSA key for both signing and encryption.
|
||||||
|
(This will have digitalSignature, keyEncipherment, and nonRepudiation set
|
||||||
|
for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"rsa-sign" - generate an RSA key for signing only. (This will have digitalSignature
|
||||||
|
set for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"rsa-nonrepudiation" - generate a single RSA key for nonRepudiation only.
|
||||||
|
(This will have non-repudiation set for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"rsa-sign-nonrepudiation" - generate a single RSA key use for both signing
|
||||||
|
and nonRepudiation. (This will have both digitalSignature and nonRepudiation
|
||||||
|
set for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"dsa-sign" - generate a single DSA key for signing only. (This will have
|
||||||
|
digitalSignature set for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"dsa-nonrepudiation" - generate a single DSA key for nonRepudiation. (This
|
||||||
|
will have nonRepudiation set for keyUsage.)</li>
|
||||||
|
|
||||||
|
<li>
|
||||||
|
"dsa-sign-nonrepudiation" - generate a single DSA key for signing and non-repudiation.
|
||||||
|
(This will have digitalSignature and nonRepudiation set for keyUsage.)</li>
|
||||||
|
</ul>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<p>The <b>generateCRMFRequest()</b> method will cause the user to be presented
|
||||||
|
with a key generation dialog. The dialog describes the key generation process
|
||||||
|
and gives the user the opportunity to cancel the operation.
|
||||||
|
<p>The method <b>generateCRMFRequest() </b>will return an instance of a
|
||||||
|
CRMF object. The JavaScript passed in as the <i><tt>"CRMF Generation Done
|
||||||
|
Code"</tt></i> parameter should look at the attribute <i>request </i>of
|
||||||
|
the returned object to get the result of the CRMF generation.
|
||||||
|
<p>The string found by accessing <i><tt>crmfObject.request</tt></i> is
|
||||||
|
the base-64 encoded CRMF message to be sent to the CA/RA, or an error string.
|
||||||
|
The possible error strings are:
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER><b>Error String</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Description</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:invalidParameter:XXX"</td>
|
||||||
|
|
||||||
|
<td>The parameter XXX was an invalid value.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:userCancel"</td>
|
||||||
|
|
||||||
|
<td>the user has canceled the key generation operation</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:internalError"</td>
|
||||||
|
|
||||||
|
<td>the software encountered some internal error, such as out of memory</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<h4>
|
||||||
|
<font face="Arial,Helvetica">importUserCertificates()</font></h4>
|
||||||
|
<tt><i>resultString</i> = crypto.importUserCertificates(<i>"nicknameString"</i>,
|
||||||
|
<i>"certString"</i>,
|
||||||
|
<i>allowBackup</i>)</tt>
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER><b>Argument</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Description</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td VALIGN=TOP><i><tt>"nicknameString"</tt></i></td>
|
||||||
|
|
||||||
|
<td>This is the nickname that will be used to describe the certificate
|
||||||
|
in the client's certificate management UI. It should serve to uniquely
|
||||||
|
identify the certificate to the user. For example, "John Smith's VeriSign
|
||||||
|
Class 3 Digital ID" or "John Smith's Ford ID Certificate". However, if
|
||||||
|
this certificate has the same DN as one or more certificates that already
|
||||||
|
exist in the user's certificate store, the nickname associated with the
|
||||||
|
certificate(s) of the same DN in the certificate store is used, and the
|
||||||
|
<tt>"nicknameString"</tt> parameter is ignored. If the string is null and
|
||||||
|
no certificate with the same DN exists in the user's certificate store,
|
||||||
|
Personal Security Manager uses the following pattern to derive the nickname:
|
||||||
|
<tt><Common Name>'s <Issuer Name> ID</tt>.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td VALIGN=TOP><i><tt>"certRepString"</tt></i></td>
|
||||||
|
|
||||||
|
<td>This string is the CMMF Certification Response from the CA that contains
|
||||||
|
the user's certificate(s). The response is base-64 encoded.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><i><tt>allowBackup</tt></i></td>
|
||||||
|
|
||||||
|
<td>This is a Boolean argument. It allows the CA or RA to indicate to the
|
||||||
|
client whether to force the user to back up a newly issued certificate
|
||||||
|
(PKCS #12).</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<p>The <b>importUserCertificates()</b> method is used to import newly issued
|
||||||
|
certificates for the user. The private key for the certificates must already
|
||||||
|
reside in the user's personal private key database.
|
||||||
|
<p>The request ID in the response being imported must match the request
|
||||||
|
ID in the associated Certification Request or Recovery Request.
|
||||||
|
<p>If the import operation succeeds, an empty string will be returned.
|
||||||
|
If it fails, one of the following error strings will be returned:
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER><b>Error String</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Description</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:userCancel"</td>
|
||||||
|
|
||||||
|
<td>The user canceled the import operation</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:invalidCertificate"</td>
|
||||||
|
|
||||||
|
<td>One of the certificate packages was incorrectly formatted</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:internalError"</td>
|
||||||
|
|
||||||
|
<td>The software encountered some internal error, such as out of memory</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:invalidRequestID"</td>
|
||||||
|
|
||||||
|
<td>The request ID in the response message does not match any outstanding
|
||||||
|
request</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<h4>
|
||||||
|
<font face="Arial,Helvetica">popChallengeResponse()</font></h4>
|
||||||
|
<tt><i>resultString</i> = crypto.popChallengeResponse(<i>"challengeString"</i>);</tt>
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER VALIGN=TOP><b>Argument</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Description</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td VALIGN=TOP><i><tt>"challengeString"</tt></i></td>
|
||||||
|
|
||||||
|
<td>A base-64 encoded CMMF POPODecKeyChallContent message. The current
|
||||||
|
implementation does not conform to that defined in the CMMF draft, and
|
||||||
|
we intend to change this implementation to that defined in the CMC RFC..
|
||||||
|
See below for the current implementation.</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<p>The resultString will either be a base-64 encoded POPODecKeyRespContent
|
||||||
|
message, or one of the following error strings:
|
||||||
|
<br>
|
||||||
|
<br>
|
||||||
|
<table BORDER WIDTH="100%" >
|
||||||
|
<tr>
|
||||||
|
<td ALIGN=CENTER><b>Error String</b></td>
|
||||||
|
|
||||||
|
<td ALIGN=CENTER><b>Description</b></td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:invalidParameter:XXX"</td>
|
||||||
|
|
||||||
|
<td>The parameter XXX was an invalid value.</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td>"error:internalError"</td>
|
||||||
|
|
||||||
|
<td>the software encountered some internal error, such as out of memory</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<p><b>Challenge-Response Proof Of Possession</b>
|
||||||
|
<p><tt>Expected Input:</tt>
|
||||||
|
<p><tt>POPODecKeyChallContent ::= SEQUENCE OF Challenge</tt>
|
||||||
|
<br><tt> -- One Challenge per encryption key certification
|
||||||
|
request (in the</tt>
|
||||||
|
<br><tt> -- same order as these requests appear in FullCertTemplates).</tt>
|
||||||
|
<p><tt>Challenge ::= SEQUENCE {</tt>
|
||||||
|
<br><tt> owf
|
||||||
|
AlgorithmIdentifier OPTIONAL,</tt>
|
||||||
|
<br><tt> -- MUST be present in the first
|
||||||
|
Challenge; MAY be omitted in any</tt>
|
||||||
|
<br><tt> -- subsequent Challenge in POPODecKeyChallContent
|
||||||
|
(if omitted,</tt>
|
||||||
|
<br><tt> -- then the owf used in the immediately
|
||||||
|
preceding Challenge is</tt>
|
||||||
|
<br><tt> -- to be used).</tt>
|
||||||
|
<br><tt> witness
|
||||||
|
OCTET STRING,</tt>
|
||||||
|
<br><tt> -- the result of applying the one-way
|
||||||
|
function (owf) to a</tt>
|
||||||
|
<br><tt> -- randomly-generated INTEGER, A.
|
||||||
|
[Note that a different</tt>
|
||||||
|
<br><tt> -- INTEGER MUST be used for each
|
||||||
|
Challenge.]</tt>
|
||||||
|
<br><tt> sender
|
||||||
|
GeneralName,</tt>
|
||||||
|
<br><tt> -- the name of the sender.</tt>
|
||||||
|
<br><tt> key
|
||||||
|
OCTET STRING,</tt>
|
||||||
|
<br><tt> -- the public key used to encrypt
|
||||||
|
the challenge. This will allow</tt>
|
||||||
|
<br><tt> -- the client to find the appropriate
|
||||||
|
key to do the decryption.</tt>
|
||||||
|
<br><tt> challenge
|
||||||
|
OCTET STRING</tt>
|
||||||
|
<br><tt> -- the encryption (under the public
|
||||||
|
key for which the cert.</tt>
|
||||||
|
<br><tt> -- request is being made) of Rand,
|
||||||
|
where Rand is specified as</tt>
|
||||||
|
<br><tt> -- Rand ::= SEQUENCE
|
||||||
|
{</tt>
|
||||||
|
<br><tt> --
|
||||||
|
int INTEGER,</tt>
|
||||||
|
<br><tt> --
|
||||||
|
- the randomly-generated INTEGER A (above)</tt>
|
||||||
|
<br><tt> --
|
||||||
|
senderHash OCTET STRING</tt>
|
||||||
|
<br><tt> --
|
||||||
|
- the result of applying the one-way function (owf) to</tt>
|
||||||
|
<br><tt> --
|
||||||
|
- the sender's general name</tt>
|
||||||
|
<br><tt> -- }</tt>
|
||||||
|
<br><tt> -- the size of "int" must be small
|
||||||
|
enough such that "Rand" can be</tt>
|
||||||
|
<br><tt> -- contained within a single PKCS
|
||||||
|
#1 encryption block.</tt>
|
||||||
|
<br><tt> }</tt>
|
||||||
|
<p>© Copyright 1999 Netscape Communications Corporation
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1,171 @@
|
||||||
|
<html><head>
|
||||||
|
<title></title>
|
||||||
|
|
||||||
|
</HEAD>
|
||||||
|
|
||||||
|
|
||||||
|
<FONT FACE="arial, helvetica, sans-serif" size="-1">
|
||||||
|
<a name="TOP">
|
||||||
|
<IMG SRC="cartbanner.gif" WIDTH="432" HEIGHT="36" HSPACE="0" VSPACE="0">
|
||||||
|
<table bgcolor="#cccccc" width="100%">
|
||||||
|
<tr><td><IMG SRC="w.gif" WIDTH=1 HEIGHT=3 BORDER=0></td></tr>
|
||||||
|
</table>
|
||||||
|
<BR><BR>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<TABLE CELLPADDING=5 CELLSPACING=2 border=0>
|
||||||
|
<TR>
|
||||||
|
|
||||||
|
<TD> <a href="help.htm">Next<IMG SRC="next.gif" WIDTH=16
|
||||||
|
|
||||||
|
HEIGHT=14 ALIGN="texttop" BORDER=0></a></FONT></TD>
|
||||||
|
<TD BGCOLOR="#FFFFFF"><a href="contents.htm">Topics</a></FONT></TD>
|
||||||
|
|
||||||
|
|
||||||
|
</TR>
|
||||||
|
</TABLE>
|
||||||
|
</TD></TR>
|
||||||
|
</TABLE>
|
||||||
|
|
||||||
|
<BR> <BR>
|
||||||
|
|
||||||
|
</a>
|
||||||
|
</DIV>
|
||||||
|
|
||||||
|
</P>
|
||||||
|
<h1>Contents</h1>
|
||||||
|
|
||||||
|
<B><a href="help.htm#1024926">
|
||||||
|
</B> </A> <p>
|
||||||
|
<p><b>
|
||||||
|
<a href="help.htm#1044151">
|
||||||
|
Introduction to Personal Security Manager
|
||||||
|
</a></b><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1044573">
|
||||||
|
About Personal Security Manager Help
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1043598">
|
||||||
|
What You Can Do with Personal Security Manager
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1026014">
|
||||||
|
Understanding Network Security
|
||||||
|
</a><br>
|
||||||
|
<p><b>
|
||||||
|
<a href="help.htm#1045279">
|
||||||
|
Information Tab
|
||||||
|
</a></b><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1041627">
|
||||||
|
Information About Web Pages
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1046060">
|
||||||
|
Information About Stored Email Messages
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1046671">
|
||||||
|
Information About Email Messages You Are Composing
|
||||||
|
</a><br>
|
||||||
|
<p><b>
|
||||||
|
<a href="help.htm#1030083">
|
||||||
|
Applications Tab
|
||||||
|
</a></b><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1030967">
|
||||||
|
Navigator
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1031452">
|
||||||
|
Messenger
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1031152">
|
||||||
|
Java/JavaScript
|
||||||
|
</a><br>
|
||||||
|
<p><b>
|
||||||
|
<a href="help.htm#1030743">
|
||||||
|
Certificates Tab
|
||||||
|
</a></b><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1047547">
|
||||||
|
Certificates—Mine
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1031428">
|
||||||
|
Certificates—Others
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1031432">
|
||||||
|
Certificates—Web Sites
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1031434">
|
||||||
|
Certificates—Authorities
|
||||||
|
</a><br>
|
||||||
|
<p><b>
|
||||||
|
<a href="help.htm#1036138">
|
||||||
|
Advanced Tab
|
||||||
|
</a></b><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1036162">
|
||||||
|
Modules
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1036164">
|
||||||
|
Options
|
||||||
|
</a><br>
|
||||||
|
<p><b>
|
||||||
|
<a href="help.htm#1031657">
|
||||||
|
Other Personal Security Manager Windows
|
||||||
|
</a></b><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1049021">
|
||||||
|
View Security Certificate
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1035650">
|
||||||
|
Choose Security Device
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1041171">
|
||||||
|
Enrollment Information
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1055232">
|
||||||
|
Certificate Renewal
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1041200">
|
||||||
|
Choosing a Certificate
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1036401">
|
||||||
|
New Certificate Authority
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1041248">
|
||||||
|
Web Site Certificates
|
||||||
|
</a><br><DD>
|
||||||
|
|
||||||
|
<a href="help.htm#1036488">
|
||||||
|
Request for Signature
|
||||||
|
</a><br><FONT FACE="sans-Serif" SIZE=+1> <BR>
|
||||||
|
<a href="glossary.htm#996904">
|
||||||
|
Glossary
|
||||||
|
</a>
|
||||||
|
</A> </FONT>
|
||||||
|
|
||||||
|
<BR><BR><BR>
|
||||||
|
|
||||||
|
© Copyright 1999 Netscape Communications Corporation
|
||||||
|
</FONT> </CENTER>
|
||||||
|
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
</BODY>
|
||||||
|
|
||||||
|
</HTML>
|
|
@ -0,0 +1,412 @@
|
||||||
|
<html><head>
|
||||||
|
<title></title>
|
||||||
|
|
||||||
|
<script languag=javascript>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
if (typeof(crypto.disableRightClick) == "function") {
|
||||||
|
crypto.disableRightClick();
|
||||||
|
}
|
||||||
|
// -->
|
||||||
|
|
||||||
|
</script>
|
||||||
|
</HEAD>
|
||||||
|
|
||||||
|
<FONT FACE="arial, helvetica, sans-serif" size="-1">
|
||||||
|
<a name="TOP">
|
||||||
|
|
||||||
|
<IMG SRC="cartbanner.gif" WIDTH="432" HEIGHT="36" HSPACE="0" VSPACE="0">
|
||||||
|
<table bgcolor="#cccccc" width="100%">
|
||||||
|
<tr><td><IMG SRC="w.gif" WIDTH=1 HEIGHT=3 BORDER=0></td></tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
<BR><BR>
|
||||||
|
<TABLE CELLPADDING=5 CELLSPACING=2 border=0>
|
||||||
|
<TR><TD BGCOLOR="#FFFFFF"><a href="help.htm"><IMG SRC="prev.gif" WIDTH=16
|
||||||
|
|
||||||
|
HEIGHT=14 ALIGN="texttop" BORDER=0>Previous</a>
|
||||||
|
</TD>
|
||||||
|
|
||||||
|
|
||||||
|
<TD BGCOLOR="#FFFFFF"><a href="contents.htm">Topics</a></TD>
|
||||||
|
|
||||||
|
|
||||||
|
</TR>
|
||||||
|
</TABLE>
|
||||||
|
|
||||||
|
<BR> <BR>
|
||||||
|
|
||||||
|
</a>
|
||||||
|
</DIV>
|
||||||
|
|
||||||
|
</P>
|
||||||
|
<h1><A NAME="
|
||||||
|
"></A><A NAME="996904">
|
||||||
|
Glossary
|
||||||
|
</A></h1><dl>
|
||||||
|
<A NAME="authentication"></A><A NAME="998782">
|
||||||
|
<B>authentication.</B>
|
||||||
|
</A><A NAME="1013907">
|
||||||
|
Assurance that a party to a computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, personal identification number (PIN), or other information that can be used to validate identity over a computer network. See also <a href="glossary.htm#1014123">password-based authentication</a>, <a href="glossary.htm#1018581">certificate-based authentication</a>, <a href="glossary.htm#1021054">client authentication</a>, <a href="glossary.htm#1031070">server authentication</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="CA"></A><A NAME="1021395">
|
||||||
|
<B>CA.</B>
|
||||||
|
</A><A NAME="1021418">
|
||||||
|
See <a href="glossary.htm#1020903"></a><a href="glossary.htm#1020903">certificate authority (CA)</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="CA certificate"></A><A NAME="1017503">
|
||||||
|
<B>CA certificate.</B>
|
||||||
|
</A><A NAME="1017507">
|
||||||
|
A certificate that identifies a certificate authority. See also <a href="glossary.htm#1020903">certificate authority (CA)</a>, <a href="glossary.htm#999541">subordinate CA</a>, <a href="glossary.htm#1015631">root CA</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate"></A><A NAME="1018895">
|
||||||
|
<B>certificate.</B>
|
||||||
|
</A><A NAME="1018896">
|
||||||
|
The digital equivalent of an ID card. A certificate specifies the name of an individual, company, or other entity and certifies that a public key, which is included in the certificate, belongs to that entity. When you digitally sign a message or other data, the digital signature for that message is created with the aid of the private key that corresponds to the public key in your certificate. A certificate is issued and digitally signed by a <a href="glossary.htm#1020903">certificate authority (CA)</a>. A certificate's validity can be verified by checking the CA's <a href="glossary.htm#1013995">digital signature</a>. Also called digital ID, digital passport, public-key certificate X.509 certificate, and security certificate. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate authority (CA)"></A><A NAME="1020903">
|
||||||
|
<B>certificate authority (CA).</B>
|
||||||
|
</A><A NAME="1020904">
|
||||||
|
A service that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify. A CA also renews and revokes certificates and generates a list of revoked certificates at regular intervals. CAs can be independent vendors (such as the CAs listed at <a href= "https://certs.netscape.com/client.html" TARGET="_blank">Certificate Authority Services</a>) or a person or organization using certificate-issuing server software (such as Netscape Certificate Management System). See also <a href="glossary.htm#1018895">certificate</a>, <a href="glossary.htm#1019940">certificate revocation list (CRL)</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate-based authentication"></A><A NAME="1018581">
|
||||||
|
<B>certificate-based authentication.</B>
|
||||||
|
</A><A NAME="1018582">
|
||||||
|
Verification of identity based on certificates and public-key cryptography. See also <a href="glossary.htm#1014123">password-based authentication</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate chain"></A><A NAME="1018500">
|
||||||
|
<B>certificate chain.</B>
|
||||||
|
</A><A NAME="1019929">
|
||||||
|
A hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a <a href="glossary.htm#1020903">certificate authority (CA)</a> and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA and so on up to a <a href="glossary.htm#1015631">root CA</a>. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate fingerprint"></A><A NAME="1020297">
|
||||||
|
<B>certificate fingerprint.</B>
|
||||||
|
</A><A NAME="1020326">
|
||||||
|
A unique number associated with a certificate. The number is not part of the certificate itself but is produced by applying a mathematical function to the contents of the certificate. If the contents of the certificate change, even by a single character, the function produces a different number. Certificate fingerprints can therefore be used to verify that certificates have not been tampered with.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate renewal"></A><A NAME="1031319">
|
||||||
|
<B>certificate renewal.</B>
|
||||||
|
</A><A NAME="1031323">
|
||||||
|
The process of renewing a <a href="glossary.htm#1018895">certificate</a> that is about to expire.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate revocation list (CRL)"></A><A NAME="1019940">
|
||||||
|
<B>certificate revocation list (CRL).</B>
|
||||||
|
</A><A NAME="1021047">
|
||||||
|
A list of revoked certificates that is generated and signed by a <a href="glossary.htm#1020903">certificate authority (CA)</a>. You can download the latest CRL to your browser or to a server, then check against it to make sure that certificates are still valid before permitting their use for authentication. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate store"></A><A NAME="1023462">
|
||||||
|
<B>certificate store.</B>
|
||||||
|
</A><A NAME="1023463">
|
||||||
|
The collection of certificates, or electronic IDs, maintained by Personal Security Manager on your behalf. These include your own certificates stored on one or more security devices, other people's certificates, web site certificates, and <a href="glossary.htm#1020903"></a>CA certificates. See also <a href="glossary.htm#1020903">certificate authority (CA)</a>, <a href="glossary.htm#1018895">certificate</a>, <a href="glossary.htm#1028962">security device</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="certificate verification"></A><A NAME="1025527">
|
||||||
|
<B>certificate verification.</B>
|
||||||
|
</A><A NAME="1025531">
|
||||||
|
When Personal Security Manager verifies a certificate, it confirms that the digital signature was created by a CA whose own CA certificate is both present in the certificate store and marked as trusted for issuing that kind of certificate. It also confirms that the certificate being verified has not been marked as untrusted in the certificate store. Finally, if the <a href="glossary.htm#1029304">Online Certificate Status Protocol (OCSP)</a> has been activated (from the Options panel under the Advanced tab), Personal Security Manager also performs an on-line check. It does so by looking up the certificate in a list of valid certificates maintained at a URL that is specified either in the certificate itself or in the OCSP Settings window. If any of these checks fail, Personal Security Manager marks the certificate as unverified and won't recognize the identity it certifies.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="cipher"></A><A NAME="1021048">
|
||||||
|
<B>cipher.</B>
|
||||||
|
</A><A NAME="1021052">
|
||||||
|
See <a href="glossary.htm#1019976">cryptographic algorithm</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="client"></A><A NAME="1029510">
|
||||||
|
<B>client.</B>
|
||||||
|
</A><A NAME="1029547">
|
||||||
|
Software (such as browser software) that sends requests to and receives information from a <a href="glossary.htm#1029749">server</a>, which is usually running on a different computer. A computer on which client software runs is also described as a client.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="client authentication"></A><A NAME="1021054">
|
||||||
|
<B>client authentication.</B>
|
||||||
|
</A><A NAME="1014557">
|
||||||
|
The process of identifying a <a href="glossary.htm#1029510">client</a> to a <a href="glossary.htm#1029749">server</a>, for example with a name and password or with a <a href="glossary.htm#1014561">client SSL certificate</a> and some digitally signed data. See also <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>, <a href="glossary.htm#1031070">server authentication</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="client SSL certificate"></A><A NAME="1014561">
|
||||||
|
<B>client SSL certificate.</B>
|
||||||
|
</A><A NAME="1014562">
|
||||||
|
A certificate that a <a href="glossary.htm#1029510">client</a> (for example, browser software such as Netscape Communicator) presents to a <a href="glossary.htm#1029749">server</a> to authenticate the identity of the client (or the identity of the person using the client) using the <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a> protocol. See also <a href="glossary.htm#1021054">client authentication</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="cryptographic algorithm"></A><A NAME="1019976">
|
||||||
|
<B>cryptographic algorithm.</B>
|
||||||
|
</A><A NAME="1019985">
|
||||||
|
A set of rules or directions used to perform cryptographic operations such as <a href="glossary.htm#999078">encryption</a> and <a href="glossary.htm#998999">decryption</a>. Sometimes called a <I>cipher.</I><P>
|
||||||
|
</A>
|
||||||
|
<A NAME="cryptography"></A><A NAME="1026002">
|
||||||
|
<B>cryptography.</B>
|
||||||
|
</A><A NAME="1026018">
|
||||||
|
The art and practice of scrambling (encrypting) and unscrambling (decrypting) information. For example, cryptographic techniques are used to scramble an unscramble information flowing between commercial web sites and your browser. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="decryption"></A><A NAME="998999">
|
||||||
|
<B>decryption.</B>
|
||||||
|
</A><A NAME="999005">
|
||||||
|
The process of unscrambling data that has been encrypted. See also <a href="glossary.htm#999078">encryption</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="digital ID"></A><A NAME="999011">
|
||||||
|
<B>digital ID.</B>
|
||||||
|
</A><A NAME="999017">
|
||||||
|
See <a href="glossary.htm#1018895">certificate</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="digital signature"></A><A NAME="1013995">
|
||||||
|
<B>digital signature.</B>
|
||||||
|
</A><A NAME="1013996">
|
||||||
|
A code created from both the data to be signed and the private key of the signer. This code is unique for each new piece of data. Even a single comma added to a message changes the digital signature for that message. Successful validation of your digital signature by appropriate software not only provides evidence that you approved the transaction or message, but also provides evidence that the data has not changed since you digitally signed it. A digital signature has nothing to do with a handwritten signature, although it can sometimes be used for similar legal purposes. See also <a href="glossary.htm#999248">nonrepudiation</a>, <a href="glossary.htm#999618">tamper detection</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="distinguished name (DN)"></A><A NAME="1022191">
|
||||||
|
<B>distinguished name (DN).</B>
|
||||||
|
</A><A NAME="1022194">
|
||||||
|
A specially formatted name that uniquely identifies the subject of a certificate.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="dual key pairs"></A><A NAME="1020489">
|
||||||
|
<B>dual key pairs.</B>
|
||||||
|
</A><A NAME="1020619">
|
||||||
|
Two public-private key pairs--four keys altogether--corresponding to two separate certificates. The private key of one pair is used for signing operations, and the public and private keys of the other pair are used for encryption and decryption operations. Each pair corresponds to a separate <a href="glossary.htm#1018895">certificate</a>. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="eavesdropping"></A><A NAME="1020620">
|
||||||
|
<B>eavesdropping.</B>
|
||||||
|
</A><A NAME="1013975">
|
||||||
|
Surreptitious interception of information sent over a network by an entity for which the information is not intended.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="encryption"></A><A NAME="999078">
|
||||||
|
<B>encryption.</B>
|
||||||
|
</A><A NAME="1024038">
|
||||||
|
The process of scrambling information in a way that disguises its meaning. For example, encrypted connections between computers make it very difficult for third-parties to unscramble, or <I>decrypt,</I> information flowing over the connection. Encrypted information can be decrypted only by someone who possesses the appropriate key. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="encryption certificate"></A><A NAME="1024953">
|
||||||
|
<B>encryption certificate.</B>
|
||||||
|
</A><A NAME="1024978">
|
||||||
|
A certificate whose public key corresponds to a private key used for encryption only. Encryption certificates are not used for signing operations. See also <a href="glossary.htm#1020489">dual key pairs</a>, <a href="glossary.htm#999493">signing certificate</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="encryption key"></A><A NAME="1021254">
|
||||||
|
<B>encryption key.</B>
|
||||||
|
</A><A NAME="1021255">
|
||||||
|
A private key used for encryption only. An encryption key and its equivalent public key, plus a <a href="glossary.htm#1021282">signing key</a> and its equivalent public key, constitute a <a href="glossary.htm#1020489">dual key pairs</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="fingerprint"></A><A NAME="1020434">
|
||||||
|
<B>fingerprint.</B>
|
||||||
|
</A><A NAME="1020450">
|
||||||
|
See <a href="glossary.htm#1020297">certificate fingerprint</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="FIPS PUBS 140-1"></A><A NAME="1025742">
|
||||||
|
<B>FIPS PUBS 140-1.</B>
|
||||||
|
</A><A NAME="1025743">
|
||||||
|
Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a US government standard for implementations of cryptographic modules--that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). Many products sold to the US government must comply with one or more of the FIPS standards.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="key"></A><A NAME="999203">
|
||||||
|
<B>key.</B>
|
||||||
|
</A><A NAME="999212">
|
||||||
|
A large number used by a <a href="glossary.htm#1019976">cryptographic algorithm</a> to encrypt or decrypt data. A person's public key, for example, allows other people to encrypt messages to that person. The encrypted messages must be decrypted with the corresponding private key. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="Lightweight Directory Access Protocol (LDAP)"></A><A NAME="1022286">
|
||||||
|
<B>Lightweight Directory Access Protocol (LDAP).</B>
|
||||||
|
</A><A NAME="1022287">
|
||||||
|
A protocol for accessing directory services across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="misrepresentation"></A><A NAME="1014057">
|
||||||
|
<B>misrepresentation.</B>
|
||||||
|
</A><A NAME="1014058">
|
||||||
|
Presentation of an entity as a person or organization that it is not. For example, a web site might pretend to be a furniture store when it is really just a site that takes credit card payments but never sends any goods. See also <a href="glossary.htm#1014366">spoofing</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="Netscape Certificate Management System"></A><A NAME="1018306">
|
||||||
|
<B>Netscape Certificate Management System.</B>
|
||||||
|
</A><A NAME="1018308">
|
||||||
|
A highly configurable set of software components and tools for creating, deploying, and managing certificates. You enroll with the system to obtain certificates of all kinds; the system maintains information about the certificates it issues.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="nonrepudiation"></A><A NAME="999248">
|
||||||
|
<B>nonrepudiation.</B>
|
||||||
|
</A><A NAME="999254">
|
||||||
|
The inability, of the sender of a message, to deny having sent the message. A regular hand-written signature provides one form of nonrepudiation. A <a href="glossary.htm#1013995">digital signature</a> provides another.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="object signing"></A><A NAME="1014095">
|
||||||
|
<B>object signing.</B>
|
||||||
|
</A><A NAME="1014096">
|
||||||
|
A technology that allows software developers to sign Java code, JavaScript scripts, or any kind of file, and that allows users to identify the signers and control access by signed code to local system resources.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="object-signing certificate"></A><A NAME="1014097">
|
||||||
|
<B>object-signing certificate.</B>
|
||||||
|
</A><A NAME="1014098">
|
||||||
|
A certificate whose corresponding private key is used to sign objects such as code files. See also <a href="glossary.htm#1014095">object signing</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="Online Certificate Status Protocol (OCSP)"></A><A NAME="1029304">
|
||||||
|
<B>Online Certificate Status Protocol (OCSP).</B>
|
||||||
|
</A><A NAME="1029312">
|
||||||
|
A set of rules that Personal Security Manager follows to perform an online check of an email certificate's validity each time the certificate is used. This process involves checking the certificate against a list of valid certificates maintained at a specified web site. Your computer must be online for OCSP to work.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="password-based authentication"></A><A NAME="1014123">
|
||||||
|
<B>password-based authentication.</B>
|
||||||
|
</A><A NAME="1014124">
|
||||||
|
Confident identification by means of a name and password. See also <a href="glossary.htm#998782">authentication</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="personal security password"></A><A NAME="1024355">
|
||||||
|
<B>personal security password.</B>
|
||||||
|
</A><A NAME="1024372">
|
||||||
|
A password used by Personal Security Manager to protect private keys stored on a <a href="glossary.htm#1028962">security device</a>. Personal Security Manager needs to access your private keys, for example, when you sign email messages or use one of your own certificates to identify yourself to a web site. You can set or change the password from the Certificates tab in Personal Security Manager. You can also control when you will be asked for the password: the first time Personal Security Manager starts up, every time one of your certificates is requested, or after a specified period of inactivity while you are visiting a site that supports encryption. Each security device requires a separate personal security password.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="PKCS #11"></A><A NAME="1025194">
|
||||||
|
<B>PKCS #11.</B>
|
||||||
|
</A><A NAME="1025195">
|
||||||
|
The public-key cryptography standard that governs security devices such as smart cards. See also <a href="glossary.htm#1028962">security device</a>, <a href="glossary.htm#1027625">smart card</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="PKCS #11 module"></A><A NAME="1025197">
|
||||||
|
<B>PKCS #11 module.</B>
|
||||||
|
</A><A NAME="1025271">
|
||||||
|
A program on your computer that manages cryptographic services such as encryption and decryption using the PKCS #11 standard. PKCS #11 modules (also called <I>cryptographic modules</I>, <I>cryptographic service providers,</I> or <I>security modules</I>) can be thought of as drivers for cryptographic devices that can be implemented in either hardware or software. A PKCS #11 module always controls one or more slots<B>,</B> which may be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual slots in software. Each slot for a PKCS #11 module can in turn contain a <a href="glossary.htm#1028962">security device</a> (also called <I>token</I>)<B>,</B> which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. Personal Security Manager provides a built-in PKCS #11 module. You may install additional modules on your computer to control smart card readers or other hardware devices.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="portable security password"></A><A NAME="1024655">
|
||||||
|
<B>portable security password.</B>
|
||||||
|
</A><A NAME="1024670">
|
||||||
|
A password that protects a certificate that you are backing up or have previously backed up. Personal Security Manager asks you to set this password when you back up a certificate, and requests it when you attempt to restore a certificate that has previously been backed up. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="private key"></A><A NAME="1015387">
|
||||||
|
<B>private key.</B>
|
||||||
|
</A><A NAME="1015391">
|
||||||
|
One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="PSM Private Keys security device"></A><A NAME="1032045">
|
||||||
|
<B>PSM Private Keys security device.</B>
|
||||||
|
</A><A NAME="1032110">
|
||||||
|
The default <a href="glossary.htm#1028962">security device</a> used by Personal Security Manager to store certificates and private keys.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="public key"></A><A NAME="1019172">
|
||||||
|
<B>public key.</B>
|
||||||
|
</A><A NAME="1019173">
|
||||||
|
One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a <a href="glossary.htm#1018895">certificate</a>. It is typically used to encrypt data sent to the public key's owner, who then decrypts the data with the corresponding private key.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="public-key cryptography"></A><A NAME="1019178">
|
||||||
|
<B>public-key cryptography.</B>
|
||||||
|
</A><A NAME="1023765">
|
||||||
|
A set of well-established techniques and standards that allow an entity (such as a person, an organization, or hardware such as a router) to verify its identity electronically or to sign and encrypt electronic data. Two keys are involved: a <a href="glossary.htm#1019172">public key</a> and a <a href="glossary.htm#1015387">private key</a>. The public key is published as part of a <a href="glossary.htm#1018895">certificate</a>, which associates that key with a particular identity. The corresponding private key is kept secret. Data encrypted with the public key can be decrypted only with the private key. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="public-key infrastructure (PKI)"></A><A NAME="999412">
|
||||||
|
<B>public-key infrastructure (PKI).</B>
|
||||||
|
</A><A NAME="1014263">
|
||||||
|
The standards and services that facilitate the use of public-key cryptography and certificates in a networked environment.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="root CA"></A><A NAME="1015631">
|
||||||
|
<B>root CA.</B>
|
||||||
|
</A><A NAME="1015635">
|
||||||
|
The <a href="glossary.htm#1020903">certificate authority (CA)</a> with a self-signed certificate at the top of a <a href="glossary.htm#1018500">certificate chain</a>. See also <a href="glossary.htm#999541">subordinate CA</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="Secure Sockets Layer (SSL)"></A><A NAME="999463">
|
||||||
|
<B>Secure Sockets Layer (SSL).</B>
|
||||||
|
</A><A NAME="999472">
|
||||||
|
A protocol that allows mutual authentication between a <a href="glossary.htm#1029510">client</a> and a <a href="glossary.htm#1029749">server</a> for the purpose of establishing an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL. See also <a href="glossary.htm#998782">authentication</a>, <a href="glossary.htm#999078">encryption</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="security certificate"></A><A NAME="1028900">
|
||||||
|
<B>security certificate.</B>
|
||||||
|
</A><A NAME="1028904">
|
||||||
|
See <a href="glossary.htm#1018895">certificate</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="security device"></A><A NAME="1028962">
|
||||||
|
<B>security device.</B>
|
||||||
|
</A><A NAME="1028963">
|
||||||
|
A hardware or software device that provides cryptographic services such as encryption and decryption and can store certificates and keys. A smart card is one example of a hardware security device. Personal Security Manager contains its own internal security device, called the <a href="glossary.htm#1032045">PSM Private Keys security device</a>, that is implemented in software. Each security device is protected by its own <a href="glossary.htm#1024355">personal security password</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="security module"></A><A NAME="1029083">
|
||||||
|
<B>security module.</B>
|
||||||
|
</A><A NAME="1029097">
|
||||||
|
See <a href="glossary.htm#1025197">PKCS #11 module</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="security token"></A><A NAME="1028905">
|
||||||
|
<B>security token.</B>
|
||||||
|
</A><A NAME="1028909">
|
||||||
|
See <a href="glossary.htm#1028962">security device</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="server"></A><A NAME="1029749">
|
||||||
|
<B>server.</B>
|
||||||
|
</A><A NAME="1029869">
|
||||||
|
Software (such as software that serves up web pages) that receives requests from and sends information to a <a href="glossary.htm#1029510">client</a>, which is usually running on a different computer. A computer on which server software runs is also described as a server.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="server authentication"></A><A NAME="1031070">
|
||||||
|
<B>server authentication.</B>
|
||||||
|
</A><A NAME="1031080">
|
||||||
|
The process of identifying a <a href="glossary.htm#1029749">server</a> to a <a href="glossary.htm#1029510">client</a> by using a <a href="glossary.htm#1029874">server SSL certificate</a>. See also <a href="glossary.htm#1021054">client authentication</a>, <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="server SSL certificate"></A><A NAME="1029874">
|
||||||
|
<B>server SSL certificate.</B>
|
||||||
|
</A><A NAME="999500">
|
||||||
|
A certificate that a <a href="glossary.htm#1029749">server</a> presents to a <a href="glossary.htm#1029510">client</a> to authenticate the server's identity using the <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a> protocol.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="signing certificate"></A><A NAME="999493">
|
||||||
|
<B>signing certificate.</B>
|
||||||
|
</A><A NAME="999507">
|
||||||
|
A certificate whose corresponding <a href="glossary.htm#1015387">private key</a> is used to sign transmitted data, so that the receiver can verify the identity of the sender. Certificate authorities (CAs) often issue a signing certificate that will be used to sign email messages at the same time as an <a href="glossary.htm#1024953">encryption certificate</a> that will be used to encrypt email messages. See also <a href="glossary.htm#1020489">dual key pairs</a>, <a href="glossary.htm#1013995">digital signature</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="signing key"></A><A NAME="1021282">
|
||||||
|
<B>signing key.</B>
|
||||||
|
</A><A NAME="1021283">
|
||||||
|
A private key used for signing only. A signing key and its equivalent public key, together with an <a href="glossary.htm#1021254">encryption key</a> and its equivalent public key, constitute <a href="glossary.htm#1020489">dual key pairs</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="slot"></A><A NAME="1025218">
|
||||||
|
<B>slot.</B>
|
||||||
|
</A><A NAME="1025222">
|
||||||
|
A piece of hardware, or its equivalent in software, that is controlled by a <a href="glossary.htm#1025197">PKCS #11 module</a> and designed to contain a <a href="glossary.htm#1028962">security device</a>. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="smart card"></A><A NAME="1027625">
|
||||||
|
<B>smart card.</B>
|
||||||
|
</A><A NAME="1027626">
|
||||||
|
A small device, typically about the size of a credit card, that contains a microprocessor and is capable of storing cryptographic information (such as keys and certificates) and performing cryptographic operations. Smart cards use the <a href="glossary.htm#1025194">PKCS #11</a> standard. A smart card is one kind of <a href="glossary.htm#1028962">security device</a>. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="spoofing"></A><A NAME="1014366">
|
||||||
|
<B>spoofing.</B>
|
||||||
|
</A><A NAME="1014367">
|
||||||
|
Pretending to be someone else. For example, a person can pretend to have the email address <FONT FACE="courier, courier new, monospace">jdoe@mozilla.com</FONT>, or a computer can identify itself as a site called <FONT FACE="courier, courier new, monospace">www.mozilla.com</FONT> when it is not. Spoofing is one form of <a href="glossary.htm#1014057">misrepresentation</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="SSL"></A><A NAME="999533">
|
||||||
|
<B>SSL.</B>
|
||||||
|
</A><A NAME="999539">
|
||||||
|
See <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="subject"></A><A NAME="1013880">
|
||||||
|
<B>subject.</B>
|
||||||
|
</A><A NAME="1013881">
|
||||||
|
The entity (such as a person, organization, or router) identified by a <a href="glossary.htm#1018895">certificate</a>. In particular, the subject field of a certificate contains the certified entity's <a href="glossary.htm#1021328">subject name</a> and other characteristics.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="subject name"></A><A NAME="1021328">
|
||||||
|
<B>subject name.</B>
|
||||||
|
</A><A NAME="1021338">
|
||||||
|
A <a href="glossary.htm#1022191">distinguished name (DN)</a> that uniquely describes the <a href="glossary.htm#1013880">subject</a> of a <a href="glossary.htm#1018895">certificate</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="subordinate CA"></A><A NAME="999541">
|
||||||
|
<B>subordinate CA.</B>
|
||||||
|
</A><A NAME="999591">
|
||||||
|
A <a href="glossary.htm#1020903">certificate authority (CA)</a> whose certificate is signed by another subordinate CA or by the root CA. See also <a href="glossary.htm#1018500">certificate chain</a>, <a href="glossary.htm#1015631">root CA</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="symmetric encryption"></A><A NAME="999604">
|
||||||
|
<B>symmetric encryption.</B>
|
||||||
|
</A><A NAME="999625">
|
||||||
|
An encryption method that uses a single cryptographic key to both encrypt and decrypt a given message.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="tamper detection"></A><A NAME="999618">
|
||||||
|
<B>tamper detection.</B>
|
||||||
|
</A><A NAME="999631">
|
||||||
|
A mechanism ensuring that data received in electronic form has not been tampered with; that is, that the data received corresponds entirely with the original version of the same data.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="TLS"></A><A NAME="1027427">
|
||||||
|
<B>TLS.</B>
|
||||||
|
</A><A NAME="1027428">
|
||||||
|
See <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="token"></A><A NAME="1024528">
|
||||||
|
<B>token.</B>
|
||||||
|
</A><A NAME="1024586">
|
||||||
|
See <a href="glossary.htm#1028962">security device</a>.<P>
|
||||||
|
</A>
|
||||||
|
<A NAME="trust"></A><A NAME="1019748">
|
||||||
|
<B>trust.</B>
|
||||||
|
</A><A NAME="1020186">
|
||||||
|
Confident reliance on a person or other entity. In the context of <a href="glossary.htm#999412">public-key infrastructure (PKI)</a>, trust usually refers to the relationship between the user of a certificate and the <a href="glossary.htm#1020903">certificate authority (CA)</a> that issued the certificate. If you use Personal Security Manager to specify that you trust a CA, Personal Security Manager trusts valid certificates issued by that CA unless you specify otherwise in the settings for individual certificates. You use the Authorities panel of the Certificates tab in Personal Security Manager to specify the kinds of certificates you trust or don't trust different CAs to issue. <P>
|
||||||
|
</A>
|
||||||
|
<A NAME="1028719">
|
||||||
|
<B></B><a href="glossary.htm#1028962"></a><P>
|
||||||
|
</A>
|
||||||
|
</dl>
|
||||||
|
|
||||||
|
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
© Copyright 2000 Netscape Communications Corporation
|
||||||
|
</FONT> </CENTER>
|
||||||
|
|
||||||
|
<BR>
|
||||||
|
|
||||||
|
</BODY>
|
||||||
|
|
||||||
|
</HTML>
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
Загрузка…
Ссылка в новой задаче