Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-01-09 21:33:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Removing PSM 1 files from repository.

Browse Source
This commit is contained in:
javi%netscape.com 2001-08-22 23:04:38 +00:00
parent 36ef0c1449
commit 224b0fa7df
13 changed files with 0 additions and 2856 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
security/psm/doc/04digsgn.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.4 KiB

BIN
security/psm/doc/06pcrypt.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 3.0 KiB

BIN
security/psm/doc/bannerrn.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 2.4 KiB

BIN
security/psm/doc/cartbanner.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.4 KiB

494
security/psm/doc/cmcjavascriptapi.html
View File

@ -1,494 +0,0 @@
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.7 [en] (WinNT; U) [Netscape]">
<title>Javascript API for Client Certificate Management</title>
</head>
<body>
<h2><font face="Arial,Helvetica">Netscape Personal Security Manager</font></h2>
<h2><font face="Arial,Helvetica">JavaScript API for Client Certificate Management</font></h2>
Version 0.3 - 10/27/1999
<br>Comments to: <a href="mailto:psmfeedback@netscape.com?subject=JavaScript%20API%20Feedback">psmfeedback@netscape.com</a>
<p>This document describes a new JavaScript API for performing user certificate
management operations within a client. The JavaScript runs in the context
of a web page operated by a Certificate Authority (CA) or Registration
Authority (RA). The API allows the CA or RA to instruct the client to perform
PKI operations such as key generation, certificate request generation,
key escrow, import of user certificates, key recovery, and revocation requests.
<p>These properties and methods reflect behavior currently implemented
in Personal Security Manager 1.0.
<p>The messages imported by or generated by these JavaScript methods are
defined in the CRMF, CMMF, and CMC internet drafts.
<h2>
<font face="Arial,Helvetica">Overview of New Cert Issuing Process</font></h2>
<ol>
<li>
User fills out enrollment form</li>
<li>
User action initiates script</li>
<li>
Script calls key generation method</li>
<li>
Signing and Encryption keys are generated</li>
<li>
Encryption Private Key is wrapped with public key of Key Recovery Authority
(KRA) (passed in in the form of a certificate as part of the script, and
checked against a pre-installed certificate copy in the local certificate
database)</li>
<li>
The public keys, wrapped encryption private key, and text string from the
script (possibly containing naming or enrollment info) are signed by the
user</li>
<li>
Signed blob is returned to the script</li>
<li>
Script submits signed blob and any other necessary info to the CA/RA</li>
<li>
CA/RA verifies signature on signed blob</li>
<li>
CA/RA validates identity of user</li>
<li>
CA/RA sends wrapped encryption private key to KRA</li>
<li>
KRA sends escrow verification back to CA</li>
<li>
CA creates and signs certificates</li>
<li>
CA sends certificates back to Communicator</li>
</ol>
<h2>
<font face="Arial,Helvetica">JavaScript API</font></h2>
<h3>
<font face="Arial,Helvetica">Properties</font></h3>
<tt>crypto.algorithms.dh.keySizes</tt>
<br><tt>crypto.algorithms.dsa.keySizes</tt>
<br><tt>crypto.algorithms.rsa.signing.keySizes</tt>
<br><tt>crypto.algorithms.rsa.keyEx.keySizes</tt>
<p><tt>keySizes</tt> is an an array that describes the available key sizes
for the particular algorithms and operations.
<p>The table below describes the key sizes that will be supported in the
US and Export versions of Communicator.
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER><b>Algorithm</b></td>
<td ALIGN=CENTER><b>US Version Key Sizes</b></td>
<td ALIGN=CENTER><b>Export Version Key Sizes</b></td>
</tr>
<tr>
<td>DSA Signing Only</td>
<td>1024, 2048</td>
<td>1024, 2048</td>
</tr>
<tr>
<td>RSA Signing Only</td>
<td>1024, 2048</td>
<td>1024, 2048</td>
</tr>
<tr>
<td>RSA Encryption Only</td>
<td>1024, 2048</td>
<td>512,1024</td>
</tr>
<tr>
<td>RSA Dual Use Signing And Encryption</td>
<td>1024, 2048</td>
<td>512,1024</td>
</tr>
<tr>
<td>DH Key Exchange</td>
<td>1024, 2048</td>
<td>512,1024</td>
</tr>
</table>
<h3>
<font face="Arial,Helvetica">Methods</font></h3>
<h4>
<font face="Arial,Helvetica">generateCRMFRequest()</font></h4>
<tt>crmfObject = crypto.generateCRMFRequest(<i>"requestedDN", "regToken",
"authenticator","escrowAuthorityCert", "KeyGen Done Code",keySize1, "keyParams1",
"keyGenAlg1",..., keySizeN, "keyParamsN", "keyGenAlgN");</i></tt>
<p>This method will generate a sequence of CRMF requests that has N requests.&nbsp;
One request for each key pair that is generated.&nbsp; The first three
parameters will be applied to every request.&nbsp; the "escrowAuthorityCert"
parameter will only be used for requests that pertain to a key that is
being escrowed.&nbsp; After the "escrowAuthorityCert" parameter, the method
takes some JavaScript code that&nbsp; is invoked when the CRMF request
is ready. Finally, there are 1 or more sets of key generation arguments.&nbsp;
Each key generation will be associated with its own request.&nbsp; All
the requests will have the same DN.
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER VALIGN=TOP><b>Argument</b></td>
<td ALIGN=CENTER><b>Description</b></td>
</tr>
<tr>
<td><i><tt>"requestedDN"</tt></i></td>
<td>An RFC1485 formatted DN to include in the certificate request.</td>
</tr>
<tr>
<td><i><tt>"regToken"</tt></i></td>
<td>A value used to authenticate the user to the RA/CA.</td>
</tr>
<tr>
<td><i><tt>"authenticator"</tt></i></td>
<td>A value that the user can authenticate with in the future when their
private key is not available. Can be used for key recovery or revocation
requests.</td>
</tr>
<tr>
<td><i><tt>"escrowAuthorityCert"</tt></i></td>
<td>If this value is NULL, then no key escrow will be performed. This value
specifies which KRA certificate should be used to wrap the private key
being escrowed. The user will be prompted for confirmation whenever a key
will be escrowed.&nbsp; Only key exchange keys will be escrowed. If a dual
use key is being generated, it will not be escrowed.&nbsp; The value of
this argument is a base-64 encoded certificate.</td>
</tr>
<tr>
<td><i><tt>"CRMF Generation Done Code"</tt></i></td>
<td>This parameter is JavaScript to execute when the CRMF generation is
complete.&nbsp;</td>
</tr>
<tr>
<td VALIGN=TOP><i><tt>keySizeN</tt></i></td>
<td>The size in bits of the Nth key to generate</td>
</tr>
<tr>
<td VALIGN=TOP><i><tt>"keyParamsN"</tt></i></td>
<td>This string is an optional algorithm dependent parameter value. For
Diffie-Hellman it is used to specify p and g parameters.&nbsp; For DSA,
it will be used to specify pqg. If the key generation requires parameters
and the value passed in is NULL, then the client will generate the parameters
on its own. Currently, this value is ignored.</td>
</tr>
<tr>
<td VALIGN=TOP><i><tt>"keyGenAlgN"</tt></i></td>
<td>Which algorithm the generated key will support. Acceptable values are
(the mentioned values for keyUsage pertain to the keyUsage value of the
Certificate Extension that will ultimately be in the issued certificate):&nbsp;
<ul>
<li>
"rsa-ex" - generate an RSA key for key exchange only (This will have keyEncipherment
set for keyUsage.)</li>
<li>
"rsa-dual-use" - generate a single RSA key for both signing and encryption.&nbsp;
(This will have digitalSignature, keyEncipherment, and nonRepudiation set
for keyUsage.)</li>
<li>
"rsa-sign" - generate an RSA key for signing only. (This will have digitalSignature
set for keyUsage.)</li>
<li>
"rsa-nonrepudiation" - generate a single RSA key for nonRepudiation only.
(This will have non-repudiation set for keyUsage.)</li>
<li>
"rsa-sign-nonrepudiation" - generate a single RSA key use for both signing
and nonRepudiation. (This will have both digitalSignature and nonRepudiation
set for keyUsage.)</li>
<li>
"dsa-sign" - generate a single DSA key for signing only. (This will have
digitalSignature set for keyUsage.)</li>
<li>
"dsa-nonrepudiation" - generate a single DSA key for nonRepudiation. (This
will have nonRepudiation set for keyUsage.)</li>
<li>
"dsa-sign-nonrepudiation" - generate a single DSA key for signing and non-repudiation.
(This will have digitalSignature and nonRepudiation set for keyUsage.)</li>
</ul>
</td>
</tr>
</table>
<p>The <b>generateCRMFRequest()</b> method will cause the user to be presented
with a key generation dialog. The dialog describes the key generation process
and gives the user the opportunity to cancel the operation.
<p>The method <b>generateCRMFRequest() </b>will return an instance of a
CRMF object. The JavaScript passed in as the <i><tt>"CRMF Generation Done
Code"</tt></i> parameter should look at the attribute <i>request </i>of
the returned object to get the result of the CRMF generation.
<p>The string found by accessing <i><tt>crmfObject.request</tt></i> is
the base-64 encoded CRMF message to be sent to the CA/RA, or an error string.
The possible error strings are:
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER><b>Error String</b></td>
<td ALIGN=CENTER><b>Description</b></td>
</tr>
<tr>
<td>"error:invalidParameter:XXX"</td>
<td>The parameter XXX was an invalid value.</td>
</tr>
<tr>
<td>"error:userCancel"</td>
<td>the user has canceled the key generation operation</td>
</tr>
<tr>
<td>"error:internalError"</td>
<td>the software encountered some internal error, such as out of memory</td>
</tr>
</table>
<h4>
<font face="Arial,Helvetica">importUserCertificates()</font></h4>
<tt><i>resultString</i> = crypto.importUserCertificates(<i>"nicknameString"</i>,
<i>"certString"</i>,
<i>allowBackup</i>)</tt>
<br>&nbsp;
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER><b>Argument</b></td>
<td ALIGN=CENTER><b>Description</b></td>
</tr>
<tr>
<td VALIGN=TOP><i><tt>"nicknameString"</tt></i></td>
<td>This is the nickname that will be used to describe the certificate
in the client's certificate management UI.&nbsp; It should serve to uniquely
identify the certificate to the user. For example, "John Smith's VeriSign
Class 3 Digital ID" or "John Smith's Ford ID Certificate". However, if
this certificate has the same DN as one or more certificates that already
exist in the user's certificate store, the nickname associated with the
certificate(s) of the same DN in the certificate store is used, and the
<tt>"nicknameString"</tt> parameter is ignored. If the string is null and
no certificate with the same DN exists in the user's certificate store,
Personal Security Manager uses the following pattern to derive the nickname:
<tt>&lt;Common Name>'s &lt;Issuer Name> ID</tt>.</td>
</tr>
<tr>
<td VALIGN=TOP><i><tt>"certRepString"</tt></i></td>
<td>This string is the CMMF Certification Response from the CA that contains
the user's certificate(s). The response is base-64 encoded.</td>
</tr>
<tr>
<td><i><tt>allowBackup</tt></i></td>
<td>This is a Boolean argument. It allows the CA or RA to indicate to the
client whether to force the user to back up a newly issued certificate
(PKCS #12).</td>
</tr>
</table>
<p>The <b>importUserCertificates()</b> method is used to import newly issued
certificates for the user. The private key for the certificates must already
reside in the user's personal private key database.
<p>The request ID in the response being imported must match the request
ID in the associated Certification Request or Recovery Request.
<p>If the import operation succeeds, an empty string will be returned.&nbsp;
If it fails, one of the following error strings will be returned:
<br>&nbsp;
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER><b>Error String</b></td>
<td ALIGN=CENTER><b>Description</b></td>
</tr>
<tr>
<td>"error:userCancel"</td>
<td>The user canceled the import operation</td>
</tr>
<tr>
<td>"error:invalidCertificate"</td>
<td>One of the certificate packages was incorrectly formatted</td>
</tr>
<tr>
<td>"error:internalError"</td>
<td>The software encountered some internal error, such as out of memory</td>
</tr>
<tr>
<td>"error:invalidRequestID"</td>
<td>The request ID in the response message does not match any outstanding
request</td>
</tr>
</table>
<h4>
<font face="Arial,Helvetica">popChallengeResponse()</font></h4>
<tt><i>resultString</i> = crypto.popChallengeResponse(<i>"challengeString"</i>);</tt>
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER VALIGN=TOP><b>Argument</b></td>
<td ALIGN=CENTER><b>Description</b></td>
</tr>
<tr>
<td VALIGN=TOP><i><tt>"challengeString"</tt></i></td>
<td>A base-64 encoded CMMF POPODecKeyChallContent message. The current
implementation does not conform to that defined in the CMMF draft, and
we intend to change this implementation to that defined in the CMC RFC..
See below for the current implementation.</td>
</tr>
</table>
<p>The resultString will either be a base-64 encoded POPODecKeyRespContent
message, or one of the following error strings:
<br>&nbsp;
<br>&nbsp;
<table BORDER WIDTH="100%" >
<tr>
<td ALIGN=CENTER><b>Error String</b></td>
<td ALIGN=CENTER><b>Description</b></td>
</tr>
<tr>
<td>"error:invalidParameter:XXX"</td>
<td>The parameter XXX was an invalid value.</td>
</tr>
<tr>
<td>"error:internalError"</td>
<td>the software encountered some internal error, such as out of memory</td>
</tr>
</table>
<p><b>Challenge-Response Proof Of Possession</b>
<p><tt>Expected Input:</tt>
<p><tt>POPODecKeyChallContent ::= SEQUENCE OF Challenge</tt>
<br><tt>&nbsp;&nbsp;&nbsp; -- One Challenge per encryption key certification
request (in the</tt>
<br><tt>&nbsp;&nbsp;&nbsp; -- same order as these requests appear in FullCertTemplates).</tt>
<p><tt>Challenge ::= SEQUENCE {</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; owf&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
AlgorithmIdentifier&nbsp; OPTIONAL,</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- MUST be present in the first
Challenge; MAY be omitted in any</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- subsequent Challenge in POPODecKeyChallContent
(if omitted,</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- then the owf used in the immediately
preceding Challenge is</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- to be used).</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; witness&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
OCTET STRING,</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- the result of applying the one-way
function (owf) to a</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- randomly-generated INTEGER, A.&nbsp;
[Note that a different</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- INTEGER MUST be used for each
Challenge.]</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sender&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
GeneralName,</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- the name of the sender.</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; key&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
OCTET STRING,</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- the public key used to encrypt
the challenge.&nbsp; This will allow</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- the client to find the appropriate
key to do the decryption.</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; challenge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
OCTET STRING</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- the encryption (under the public
key for which the cert.</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- request is being made) of Rand,
where Rand is specified as</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp; Rand ::= SEQUENCE
{</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTEGER,</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
- the randomly-generated INTEGER A (above)</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
senderHash&nbsp; OCTET STRING</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
- the result of applying the one-way function (owf) to</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
- the sender's general name</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; --&nbsp;&nbsp; }</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- the size of "int" must be small
enough such that "Rand" can be</tt>
<br><tt>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- contained within a single PKCS
#1 encryption block.</tt>
<br><tt>&nbsp; }</tt>
<p>&copy; Copyright 1999 Netscape Communications Corporation
</body>
</html>

171
security/psm/doc/contents.htm
View File

@ -1,171 +0,0 @@
<html><head>
<title></title>
</HEAD>
<FONT FACE="arial, helvetica, sans-serif" size="-1">
<a name="TOP">
<IMG SRC="cartbanner.gif" WIDTH="432" HEIGHT="36" HSPACE="0" VSPACE="0">
<table bgcolor="#cccccc" width="100%">
<tr><td><IMG SRC="w.gif" WIDTH=1 HEIGHT=3 BORDER=0></td></tr>
</table>
<BR><BR>
<TABLE CELLPADDING=5 CELLSPACING=2 border=0>
<TR>
<TD> <a href="help.htm">Next<IMG SRC="next.gif" WIDTH=16
HEIGHT=14 ALIGN="texttop" BORDER=0></a></FONT></TD>
<TD BGCOLOR="#FFFFFF"><a href="contents.htm">Topics</a></FONT></TD>
</TR>
</TABLE>
</TD></TR>
</TABLE>
<BR> <BR>
</a>
</DIV>
</P>
<h1>Contents</h1>
<B><a href="help.htm#1024926">
</B> </A> <p>
<p><b>
<a href="help.htm#1057187">
Introduction to Personal Security Manager
</a></b><br><DD>
<a href="help.htm#1044573">
About Personal Security Manager Help
</a><br><DD>
<a href="help.htm#1043598">
What You Can Do with Personal Security Manager
</a><br><DD>
<a href="help.htm#1026014">
Understanding Network Security
</a><br>
<p><b>
<a href="help.htm#1045279">
Information Tab
</a></b><br><DD>
<a href="help.htm#1041627">
Information About Web Pages
</a><br><DD>
<a href="help.htm#1046060">
Information About Stored Email Messages
</a><br><DD>
<a href="help.htm#1046671">
Information About Email Messages You Are Composing
</a><br>
<p><b>
<a href="help.htm#1030083">
Applications Tab
</a></b><br><DD>
<a href="help.htm#1030967">
Navigator
</a><br><DD>
<a href="help.htm#1031452">
Messenger
</a><br><DD>
<a href="help.htm#1031152">
Java/JavaScript
</a><br>
<p><b>
<a href="help.htm#1030743">
Certificates Tab
</a></b><br><DD>
<a href="help.htm#1047547">
Certificates&#151;Mine
</a><br><DD>
<a href="help.htm#1031428">
Certificates&#151;Others
</a><br><DD>
<a href="help.htm#1031432">
Certificates&#151;Web Sites
</a><br><DD>
<a href="help.htm#1031434">
Certificates&#151;Authorities
</a><br>
<p><b>
<a href="help.htm#1036138">
Advanced Tab
</a></b><br><DD>
<a href="help.htm#1036162">
Modules
</a><br><DD>
<a href="help.htm#1036164">
Options
</a><br>
<p><b>
<a href="help.htm#1056728">
Other Personal Security Manager Windows
</a></b><br><DD>
<a href="help.htm#1055385">
Certificate Information
</a><br><DD>
<a href="help.htm#1035650">
Choose Security Device
</a><br><DD>
<a href="help.htm#1041171">
Enrollment Information
</a><br><DD>
<a href="help.htm#1055232">
Certificate Renewal
</a><br><DD>
<a href="help.htm#1041200">
Choosing a Certificate
</a><br><DD>
<a href="help.htm#1036401">
New Certificate Authority
</a><br><DD>
<a href="help.htm#1041248">
Web Site Certificates
</a><br><DD>
<a href="help.htm#1036488">
Request for Signature
</a><br><FONT FACE="sans-Serif" SIZE=+1>&nbsp;<BR>
<a href="glossary.htm#996904">
Glossary
</a>
</A> </FONT>
<BR><BR><BR>
&copy; Copyright 2000 Netscape Communications Corporation
</FONT> </CENTER>
<BR>
</BODY>
</HTML>

417
security/psm/doc/glossary.htm
View File

@ -1,417 +0,0 @@
<html><head>
<title></title>
<script languag=javascript>
<!--
if (typeof(crypto.disableRightClick) == "function") {
crypto.disableRightClick();
}
// -->
</script>
</HEAD>
<FONT FACE="arial, helvetica, sans-serif" size="-1">
<a name="TOP">
<IMG SRC="cartbanner.gif" WIDTH="432" HEIGHT="36" HSPACE="0" VSPACE="0">
<table bgcolor="#cccccc" width="100%">
<tr><td><IMG SRC="w.gif" WIDTH=1 HEIGHT=3 BORDER=0></td></tr>
</table>
<BR><BR>
<TABLE CELLPADDING=5 CELLSPACING=2 border=0>
<TR><TD BGCOLOR="#FFFFFF"><a href="help.htm"><IMG SRC="prev.gif" WIDTH=16
HEIGHT=14 ALIGN="texttop" BORDER=0>Previous</a>
</TD>
<TD BGCOLOR="#FFFFFF"><a href="contents.htm">Topics</a></TD>
</TR>
</TABLE>
<BR> <BR>
</a>
</DIV>
</P>
<h1><A NAME="
"></A><A NAME="996904">
Glossary
</A></h1><dl>
<A NAME="authentication"></A><A NAME="998782">
<B>authentication.</B>&nbsp;
</A><A NAME="1013907">
Assurance that a party to a computerized transaction is not an impostor. Authentication typically involves the use of a password, certificate, personal identification number (PIN), or other information that can be used to validate identity over a computer network. See also <a href="glossary.htm#1014123">password-based authentication</a>, <a href="glossary.htm#1018581">certificate-based authentication</a>, <a href="glossary.htm#1021054">client authentication</a>, <a href="glossary.htm#1031070">server authentication</a>.<P>
</A>
<A NAME="CA"></A><A NAME="1021395">
<B>CA.</B>&nbsp;
</A><A NAME="1021418">
See <a href="glossary.htm#1020903"></a><a href="glossary.htm#1020903">certificate authority (CA)</a>.<P>
</A>
<A NAME="CA certificate"></A><A NAME="1017503">
<B>CA certificate.</B>&nbsp;
</A><A NAME="1017507">
A certificate that identifies a certificate authority. See also <a href="glossary.htm#1020903">certificate authority (CA)</a>, <a href="glossary.htm#999541">subordinate CA</a>, <a href="glossary.htm#1015631">root CA</a>.<P>
</A>
<A NAME="certificate"></A><A NAME="1018895">
<B>certificate.</B>&nbsp;
</A><A NAME="1018896">
The digital equivalent of an ID card. A certificate specifies the name of an individual, company, or other entity and certifies that a public key, which is included in the certificate, belongs to that entity. When you digitally sign a message or other data, the digital signature for that message is created with the aid of the private key that corresponds to the public key in your certificate. A certificate is issued and digitally signed by a <a href="glossary.htm#1020903">certificate authority (CA)</a>. A certificate's validity can be verified by checking the CA's <a href="glossary.htm#1013995">digital signature</a>. Also called digital ID, digital passport, public-key certificate X.509 certificate, and security certificate. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
</A>
<A NAME="certificate authority (CA)"></A><A NAME="1020903">
<B>certificate authority (CA).</B>&nbsp;
</A><A NAME="1020904">
A service that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify. A CA also renews and revokes certificates and generates a list of revoked certificates at regular intervals. CAs can be independent vendors (such as the CAs listed at <a href= "https://certs.netscape.com/client.html" TARGET="_blank">Certificate Authority Services</a>) or a person or organization using certificate-issuing server software (such as Netscape Certificate Management System). See also <a href="glossary.htm#1018895">certificate</a>, <a href="glossary.htm#1019940">certificate revocation list (CRL)</a>.<P>
</A>
<A NAME="certificate-based authentication"></A><A NAME="1018581">
<B>certificate-based authentication.</B>&nbsp;
</A><A NAME="1018582">
Verification of identity based on certificates and public-key cryptography. See also <a href="glossary.htm#1014123">password-based authentication</a>.<P>
</A>
<A NAME="certificate chain"></A><A NAME="1018500">
<B>certificate chain.</B>&nbsp;
</A><A NAME="1019929">
A hierarchical series of certificates signed by successive certificate authorities. A CA certificate identifies a <a href="glossary.htm#1020903">certificate authority (CA)</a> and is used to sign certificates issued by that authority. A CA certificate can in turn be signed by the CA certificate of a parent CA and so on up to a <a href="glossary.htm#1015631">root CA</a>. <P>
</A>
<A NAME="certificate fingerprint"></A><A NAME="1020297">
<B>certificate fingerprint.</B>&nbsp;
</A><A NAME="1020326">
A unique number associated with a certificate. The number is not part of the certificate itself but is produced by applying a mathematical function to the contents of the certificate. If the contents of the certificate change, even by a single character, the function produces a different number. Certificate fingerprints can therefore be used to verify that certificates have not been tampered with.<P>
</A>
<A NAME="certificate renewal"></A><A NAME="1031319">
<B>certificate renewal.</B>&nbsp;
</A><A NAME="1031323">
The process of renewing a <a href="glossary.htm#1018895">certificate</a> that is about to expire.<P>
</A>
<A NAME="certificate revocation list (CRL)"></A><A NAME="1019940">
<B>certificate revocation list (CRL).</B>&nbsp;
</A><A NAME="1021047">
A list of revoked certificates that is generated and signed by a <a href="glossary.htm#1020903">certificate authority (CA)</a>. You can download the latest CRL to your browser or to a server, then check against it to make sure that certificates are still valid before permitting their use for authentication. <P>
</A>
<A NAME="certificate store"></A><A NAME="1023462">
<B>certificate store.</B>&nbsp;
</A><A NAME="1032978">
The collection of certificates, or electronic IDs, maintained by Personal Security Manager on your behalf. These include your own certificates stored on one or more security devices, other people's certificates, web site certificates, and <a href="glossary.htm#1020903"></a>CA certificates. See also <a href="glossary.htm#1020903">certificate authority (CA)</a>, <a href="glossary.htm#1018895">certificate</a>, <a href="glossary.htm#1028962">security device</a>.<P>
</A>
<A NAME="certificate verification"></A><A NAME="1025527">
<B>certificate verification.</B>&nbsp;
</A><A NAME="1025531">
When Personal Security Manager verifies a certificate, it confirms that the digital signature was created by a CA whose own CA certificate is both present in the certificate store and marked as trusted for issuing that kind of certificate. It also confirms that the certificate being verified has not been marked as untrusted in the certificate store. Finally, if the <a href="glossary.htm#1029304">Online Certificate Status Protocol (OCSP)</a> has been activated (from the Options panel under the Advanced tab), Personal Security Manager also performs an on-line check. It does so by looking up the certificate in a list of valid certificates maintained at a URL that is specified either in the certificate itself or in the OCSP Settings window. If any of these checks fail, Personal Security Manager marks the certificate as unverified and won't recognize the identity it certifies.<P>
</A>
<A NAME="cipher"></A><A NAME="1021048">
<B>cipher.</B>&nbsp;
</A><A NAME="1021052">
See <a href="glossary.htm#1019976">cryptographic algorithm</a>.<P>
</A>
<A NAME="client"></A><A NAME="1029510">
<B>client.</B>&nbsp;
</A><A NAME="1029547">
Software (such as browser software) that sends requests to and receives information from a <a href="glossary.htm#1029749">server</a>, which is usually running on a different computer. A computer on which client software runs is also described as a client.<P>
</A>
<A NAME="client authentication"></A><A NAME="1021054">
<B>client authentication.</B>&nbsp;
</A><A NAME="1014557">
The process of identifying a <a href="glossary.htm#1029510">client</a> to a <a href="glossary.htm#1029749">server</a>, for example with a name and password or with a <a href="glossary.htm#1014561">client SSL certificate</a> and some digitally signed data. See also <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>, <a href="glossary.htm#1031070">server authentication</a>.<P>
</A>
<A NAME="client SSL certificate"></A><A NAME="1014561">
<B>client SSL certificate.</B>&nbsp;
</A><A NAME="1014562">
A certificate that a <a href="glossary.htm#1029510">client</a> (for example, browser software such as Netscape Communicator) presents to a <a href="glossary.htm#1029749">server</a> to authenticate the identity of the client (or the identity of the person using the client) using the <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a> protocol. See also <a href="glossary.htm#1021054">client authentication</a>.<P>
</A>
<A NAME="cryptographic algorithm"></A><A NAME="1019976">
<B>cryptographic algorithm.</B>&nbsp;
</A><A NAME="1019985">
A set of rules or directions used to perform cryptographic operations such as <a href="glossary.htm#999078">encryption</a> and <a href="glossary.htm#998999">decryption</a>. Sometimes called a <I>cipher.</I><P>
</A>
<A NAME="cryptography"></A><A NAME="1026002">
<B>cryptography.</B>&nbsp;
</A><A NAME="1026018">
The art and practice of scrambling (encrypting) and unscrambling (decrypting) information. For example, cryptographic techniques are used to scramble an unscramble information flowing between commercial web sites and your browser. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
</A>
<A NAME="decryption"></A><A NAME="998999">
<B>decryption.</B>&nbsp;
</A><A NAME="999005">
The process of unscrambling data that has been encrypted. See also <a href="glossary.htm#999078">encryption</a>.<P>
</A>
<A NAME="digital ID"></A><A NAME="999011">
<B>digital ID.</B>&nbsp;
</A><A NAME="999017">
See <a href="glossary.htm#1018895">certificate</a>.<P>
</A>
<A NAME="digital signature"></A><A NAME="1013995">
<B>digital signature.</B>&nbsp;
</A><A NAME="1013996">
A code created from both the data to be signed and the private key of the signer. This code is unique for each new piece of data. Even a single comma added to a message changes the digital signature for that message. Successful validation of your digital signature by appropriate software not only provides evidence that you approved the transaction or message, but also provides evidence that the data has not changed since you digitally signed it. A digital signature has nothing to do with a handwritten signature, although it can sometimes be used for similar legal purposes. See also <a href="glossary.htm#999248">nonrepudiation</a>, <a href="glossary.htm#999618">tamper detection</a>.<P>
</A>
<A NAME="distinguished name (DN)"></A><A NAME="1022191">
<B>distinguished name (DN).</B>&nbsp;
</A><A NAME="1022194">
A specially formatted name that uniquely identifies the subject of a certificate.<P>
</A>
<A NAME="dual key pairs"></A><A NAME="1020489">
<B>dual key pairs.</B>&nbsp;
</A><A NAME="1020619">
Two public-private key pairs--four keys altogether--corresponding to two separate certificates. The private key of one pair is used for signing operations, and the public and private keys of the other pair are used for encryption and decryption operations. Each pair corresponds to a separate <a href="glossary.htm#1018895">certificate</a>. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
</A>
<A NAME="eavesdropping"></A><A NAME="1020620">
<B>eavesdropping.</B>&nbsp;
</A><A NAME="1013975">
Surreptitious interception of information sent over a network by an entity for which the information is not intended.<P>
</A>
<A NAME="encryption"></A><A NAME="999078">
<B>encryption.</B>&nbsp;
</A><A NAME="1024038">
The process of scrambling information in a way that disguises its meaning. For example, encrypted connections between computers make it very difficult for third-parties to unscramble, or <I>decrypt,</I> information flowing over the connection. Encrypted information can be decrypted only by someone who possesses the appropriate key. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
</A>
<A NAME="encryption certificate"></A><A NAME="1024953">
<B>encryption certificate.</B>&nbsp;
</A><A NAME="1024978">
A certificate whose public key corresponds to a private key used for encryption only. Encryption certificates are not used for signing operations. See also <a href="glossary.htm#1020489">dual key pairs</a>, <a href="glossary.htm#999493">signing certificate</a>.<P>
</A>
<A NAME="encryption key"></A><A NAME="1021254">
<B>encryption key.</B>&nbsp;
</A><A NAME="1021255">
A private key used for encryption only. An encryption key and its equivalent public key, plus a <a href="glossary.htm#1021282">signing key</a> and its equivalent public key, constitute a <a href="glossary.htm#1020489">dual key pairs</a>.<P>
</A>
<A NAME="fingerprint"></A><A NAME="1020434">
<B>fingerprint.</B>&nbsp;
</A><A NAME="1020450">
See <a href="glossary.htm#1020297">certificate fingerprint</a>.<P>
</A>
<A NAME="FIPS PUBS 140-1"></A><A NAME="1025742">
<B>FIPS PUBS 140-1.</B>&nbsp;
</A><A NAME="1025743">
Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a US government standard for implementations of cryptographic modules--that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). Many products sold to the US government must comply with one or more of the FIPS standards.<P>
</A>
<A NAME="key"></A><A NAME="999203">
<B>key.</B>&nbsp;
</A><A NAME="999212">
A large number used by a <a href="glossary.htm#1019976">cryptographic algorithm</a> to encrypt or decrypt data. A person's public key, for example, allows other people to encrypt messages to that person. The encrypted messages must be decrypted with the corresponding private key. See also <a href="glossary.htm#1019178">public-key cryptography</a>.<P>
</A>
<A NAME="Lightweight Directory Access Protocol (LDAP)"></A><A NAME="1022286">
<B>Lightweight Directory Access Protocol (LDAP).</B>&nbsp;
</A><A NAME="1022287">
A protocol for accessing directory services across multiple platforms. LDAP is a simplified version of Directory Access Protocol (DAP), used to access X.500 directories. <P>
</A>
<A NAME="master key"></A><A NAME="1032598">
<B>master key.</B>&nbsp;
</A><A NAME="1032639">
A symmetric key used by Personal Security Manager to encrypt information on behalf of other applications. For example, Netscape 6 uses Personal Security Manager and your master key to encrypt email passwords, web site passwords, and other stored sensitive information. See also <a href="glossary.htm#999604">symmetric encryption</a>.<P>
</A>
<A NAME="misrepresentation"></A><A NAME="1014057">
<B>misrepresentation.</B>&nbsp;
</A><A NAME="1014058">
Presentation of an entity as a person or organization that it is not. For example, a web site might pretend to be a furniture store when it is really just a site that takes credit card payments but never sends any goods. See also <a href="glossary.htm#1014366">spoofing</a>.<P>
</A>
<A NAME="Netscape Certificate Management System"></A><A NAME="1018306">
<B>Netscape Certificate Management System.</B>&nbsp;
</A><A NAME="1018308">
A highly configurable set of software components and tools for creating, deploying, and managing certificates. You enroll with the system to obtain certificates of all kinds; the system maintains information about the certificates it issues.<P>
</A>
<A NAME="nonrepudiation"></A><A NAME="999248">
<B>nonrepudiation.</B>&nbsp;
</A><A NAME="999254">
The inability, of the sender of a message, to deny having sent the message. A regular hand-written signature provides one form of nonrepudiation. A <a href="glossary.htm#1013995">digital signature</a> provides another.<P>
</A>
<A NAME="object signing"></A><A NAME="1014095">
<B>object signing.</B>&nbsp;
</A><A NAME="1014096">
A technology that allows software developers to sign Java code, JavaScript scripts, or any kind of file, and that allows users to identify the signers and control access by signed code to local system resources.<P>
</A>
<A NAME="object-signing certificate"></A><A NAME="1014097">
<B>object-signing certificate.</B>&nbsp;
</A><A NAME="1014098">
A certificate whose corresponding private key is used to sign objects such as code files. See also <a href="glossary.htm#1014095">object signing</a>.<P>
</A>
<A NAME="Online Certificate Status Protocol (OCSP)"></A><A NAME="1029304">
<B>Online Certificate Status Protocol (OCSP).</B>&nbsp;
</A><A NAME="1029312">
A set of rules that Personal Security Manager follows to perform an online check of an email certificate's validity each time the certificate is used. This process involves checking the certificate against a list of valid certificates maintained at a specified web site. Your computer must be online for OCSP to work.<P>
</A>
<A NAME="password-based authentication"></A><A NAME="1014123">
<B>password-based authentication.</B>&nbsp;
</A><A NAME="1014124">
Confident identification by means of a name and password. See also <a href="glossary.htm#998782">authentication</a>.<P>
</A>
<A NAME="Personal Security Password"></A><A NAME="1032744">
<B>Personal Security Password.</B>&nbsp;
</A><A NAME="1032748">
A password used by Personal Security Manager to protect the master key and/or private keys stored on a <a href="glossary.htm#1028962">security device</a>. Personal Security Manager needs to access your private keys, for example, when you sign email messages or use one of your own certificates to identify yourself to a web site. It needs to access your master key when it encrypts or decrypts information on behalf of another application&#151;for example, when Netscape 6 needs to store or access your email password. You can set or change your personal security password from the Certificates tab in Personal Security Manager. Each security device requires a separate Personal Security Password. See also <a href="glossary.htm#1015387">private key</a>, <a href="glossary.htm#1032598">master key</a>.<P>
</A>
<A NAME="PKCS #11"></A><A NAME="1025194">
<B>PKCS #11.</B>&nbsp;
</A><A NAME="1025195">
The public-key cryptography standard that governs security devices such as smart cards. See also <a href="glossary.htm#1028962">security device</a>, <a href="glossary.htm#1027625">smart card</a>.<P>
</A>
<A NAME="PKCS #11 module"></A><A NAME="1025197">
<B>PKCS #11 module.</B>&nbsp;
</A><A NAME="1025271">
A program on your computer that manages cryptographic services such as encryption and decryption using the PKCS #11 standard. PKCS #11 modules (also called <I>cryptographic modules</I>, <I>cryptographic service providers,</I> or <I>security modules</I>) can be thought of as drivers for cryptographic devices that can be implemented in either hardware or software. A PKCS #11 module always controls one or more slots<B>,</B> which may be implemented as physical hardware slots in some form of physical reader (for example, for smart cards) or as conceptual slots in software. Each slot for a PKCS #11 module can in turn contain a <a href="glossary.htm#1028962">security device</a> (also called <I>token</I>)<B>,</B> which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys. Personal Security Manager provides a built-in PKCS #11 module. You may install additional modules on your computer to control smart card readers or other hardware devices.<P>
</A>
<A NAME="portable security password"></A><A NAME="1024655">
<B>portable security password.</B>&nbsp;
</A><A NAME="1024670">
A password that protects a certificate that you are backing up or have previously backed up. Personal Security Manager asks you to set this password when you back up a certificate, and requests it when you attempt to restore a certificate that has previously been backed up. <P>
</A>
<A NAME="private key"></A><A NAME="1015387">
<B>private key.</B>&nbsp;
</A><A NAME="1015391">
One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key.<P>
</A>
<A NAME="PSM Private Keys security device"></A><A NAME="1032045">
<B>PSM Private Keys security device.</B>&nbsp;
</A><A NAME="1032110">
The default <a href="glossary.htm#1028962">security device</a> used by Personal Security Manager to store private keys associated with your certificates. In addition to private keys, the PSM Private Keys security device stores the master key used by Netscape 6 to encrypt email passwords, web site passwords, and other sensitive information. See also <a href="glossary.htm#1015387">private key</a>, <a href="glossary.htm#1032598">master key</a>.<P>
</A>
<A NAME="public key"></A><A NAME="1019172">
<B>public key.</B>&nbsp;
</A><A NAME="1019173">
One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a <a href="glossary.htm#1018895">certificate</a>. It is typically used to encrypt data sent to the public key's owner, who then decrypts the data with the corresponding private key.<P>
</A>
<A NAME="public-key cryptography"></A><A NAME="1019178">
<B>public-key cryptography.</B>&nbsp;
</A><A NAME="1023765">
A set of well-established techniques and standards that allow an entity (such as a person, an organization, or hardware such as a router) to verify its identity electronically or to sign and encrypt electronic data. Two keys are involved: a <a href="glossary.htm#1019172">public key</a> and a <a href="glossary.htm#1015387">private key</a>. The public key is published as part of a <a href="glossary.htm#1018895">certificate</a>, which associates that key with a particular identity. The corresponding private key is kept secret. Data encrypted with the public key can be decrypted only with the private key. <P>
</A>
<A NAME="public-key infrastructure (PKI)"></A><A NAME="999412">
<B>public-key infrastructure (PKI).</B>&nbsp;
</A><A NAME="1014263">
The standards and services that facilitate the use of public-key cryptography and certificates in a networked environment.<P>
</A>
<A NAME="root CA"></A><A NAME="1015631">
<B>root CA.</B>&nbsp;
</A><A NAME="1015635">
The <a href="glossary.htm#1020903">certificate authority (CA)</a> with a self-signed certificate at the top of a <a href="glossary.htm#1018500">certificate chain</a>. See also <a href="glossary.htm#999541">subordinate CA</a>.<P>
</A>
<A NAME="Secure Sockets Layer (SSL)"></A><A NAME="999463">
<B>Secure Sockets Layer (SSL).</B>&nbsp;
</A><A NAME="999472">
A protocol that allows mutual authentication between a <a href="glossary.htm#1029510">client</a> and a <a href="glossary.htm#1029749">server</a> for the purpose of establishing an authenticated and encrypted connection. SSL runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL. See also <a href="glossary.htm#998782">authentication</a>, <a href="glossary.htm#999078">encryption</a>.<P>
</A>
<A NAME="security certificate"></A><A NAME="1028900">
<B>security certificate.</B>&nbsp;
</A><A NAME="1028904">
See <a href="glossary.htm#1018895">certificate</a>.<P>
</A>
<A NAME="security device"></A><A NAME="1028962">
<B>security device.</B>&nbsp;
</A><A NAME="1028963">
A hardware or software device that provides cryptographic services such as encryption and decryption and can store certificates and keys. A smart card is one example of a hardware security device. Personal Security Manager contains its own internal security device, called the <a href="glossary.htm#1032045">PSM Private Keys security device</a>, that is implemented in software. Each security device is protected by its own <a href="glossary.htm#1032744">Personal Security Password</a>.<P>
</A>
<A NAME="security module"></A><A NAME="1029083">
<B>security module.</B>&nbsp;
</A><A NAME="1029097">
See <a href="glossary.htm#1025197">PKCS #11 module</a>.<P>
</A>
<A NAME="security token"></A><A NAME="1028905">
<B>security token.</B>&nbsp;
</A><A NAME="1028909">
See <a href="glossary.htm#1028962">security device</a>.<P>
</A>
<A NAME="server"></A><A NAME="1029749">
<B>server.</B>&nbsp;
</A><A NAME="1029869">
Software (such as software that serves up web pages) that receives requests from and sends information to a <a href="glossary.htm#1029510">client</a>, which is usually running on a different computer. A computer on which server software runs is also described as a server.<P>
</A>
<A NAME="server authentication"></A><A NAME="1031070">
<B>server authentication.</B>&nbsp;
</A><A NAME="1031080">
The process of identifying a <a href="glossary.htm#1029749">server</a> to a <a href="glossary.htm#1029510">client</a> by using a <a href="glossary.htm#1029874">server SSL certificate</a>. See also <a href="glossary.htm#1021054">client authentication</a>, <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>.<P>
</A>
<A NAME="server SSL certificate"></A><A NAME="1029874">
<B>server SSL certificate.</B>&nbsp;
</A><A NAME="999500">
A certificate that a <a href="glossary.htm#1029749">server</a> presents to a <a href="glossary.htm#1029510">client</a> to authenticate the server's identity using the <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a> protocol.<P>
</A>
<A NAME="signing certificate"></A><A NAME="999493">
<B>signing certificate.</B>&nbsp;
</A><A NAME="999507">
A certificate whose corresponding <a href="glossary.htm#1015387">private key</a> is used to sign transmitted data, so that the receiver can verify the identity of the sender. Certificate authorities (CAs) often issue a signing certificate that will be used to sign email messages at the same time as an <a href="glossary.htm#1024953">encryption certificate</a> that will be used to encrypt email messages. See also <a href="glossary.htm#1020489">dual key pairs</a>, <a href="glossary.htm#1013995">digital signature</a>.<P>
</A>
<A NAME="signing key"></A><A NAME="1021282">
<B>signing key.</B>&nbsp;
</A><A NAME="1021283">
A private key used for signing only. A signing key and its equivalent public key, together with an <a href="glossary.htm#1021254">encryption key</a> and its equivalent public key, constitute <a href="glossary.htm#1020489">dual key pairs</a>.<P>
</A>
<A NAME="slot"></A><A NAME="1025218">
<B>slot.</B>&nbsp;
</A><A NAME="1025222">
A piece of hardware, or its equivalent in software, that is controlled by a <a href="glossary.htm#1025197">PKCS #11 module</a> and designed to contain a <a href="glossary.htm#1028962">security device</a>. <P>
</A>
<A NAME="smart card"></A><A NAME="1027625">
<B>smart card.</B>&nbsp;
</A><A NAME="1027626">
A small device, typically about the size of a credit card, that contains a microprocessor and is capable of storing cryptographic information (such as keys and certificates) and performing cryptographic operations. Smart cards use the <a href="glossary.htm#1025194">PKCS #11</a> standard. A smart card is one kind of <a href="glossary.htm#1028962">security device</a>. <P>
</A>
<A NAME="spoofing"></A><A NAME="1014366">
<B>spoofing.</B>&nbsp;
</A><A NAME="1014367">
Pretending to be someone else. For example, a person can pretend to have the email address <FONT FACE="courier, courier new, monospace">jdoe@mozilla.com</FONT>, or a computer can identify itself as a site called <FONT FACE="courier, courier new, monospace">www.mozilla.com</FONT> when it is not. Spoofing is one form of <a href="glossary.htm#1014057">misrepresentation</a>.<P>
</A>
<A NAME="SSL"></A><A NAME="999533">
<B>SSL.</B>&nbsp;
</A><A NAME="999539">
See <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>. <P>
</A>
<A NAME="subject"></A><A NAME="1013880">
<B>subject.</B>&nbsp;
</A><A NAME="1013881">
The entity (such as a person, organization, or router) identified by a <a href="glossary.htm#1018895">certificate</a>. In particular, the subject field of a certificate contains the certified entity's <a href="glossary.htm#1021328">subject name</a> and other characteristics.<P>
</A>
<A NAME="subject name"></A><A NAME="1021328">
<B>subject name.</B>&nbsp;
</A><A NAME="1021338">
A <a href="glossary.htm#1022191">distinguished name (DN)</a> that uniquely describes the <a href="glossary.htm#1013880">subject</a> of a <a href="glossary.htm#1018895">certificate</a>.<P>
</A>
<A NAME="subordinate CA"></A><A NAME="999541">
<B>subordinate CA.</B>&nbsp;
</A><A NAME="999591">
A <a href="glossary.htm#1020903">certificate authority (CA)</a> whose certificate is signed by another subordinate CA or by the root CA. See also <a href="glossary.htm#1018500">certificate chain</a>, <a href="glossary.htm#1015631">root CA</a>.<P>
</A>
<A NAME="symmetric encryption"></A><A NAME="999604">
<B>symmetric encryption.</B>&nbsp;
</A><A NAME="999625">
An encryption method that uses a single cryptographic key to both encrypt and decrypt a given message.<P>
</A>
<A NAME="tamper detection"></A><A NAME="999618">
<B>tamper detection.</B>&nbsp;
</A><A NAME="999631">
A mechanism ensuring that data received in electronic form has not been tampered with; that is, that the data received corresponds entirely with the original version of the same data.<P>
</A>
<A NAME="TLS"></A><A NAME="1027427">
<B>TLS.</B>&nbsp;
</A><A NAME="1027428">
See <a href="glossary.htm#999463">Secure Sockets Layer (SSL)</a>.<P>
</A>
<A NAME="token"></A><A NAME="1024528">
<B>token.</B>&nbsp;
</A><A NAME="1024586">
See <a href="glossary.htm#1028962">security device</a>.<P>
</A>
<A NAME="trust"></A><A NAME="1019748">
<B>trust.</B>&nbsp;
</A><A NAME="1020186">
Confident reliance on a person or other entity. In the context of <a href="glossary.htm#999412">public-key infrastructure (PKI)</a>, trust usually refers to the relationship between the user of a certificate and the <a href="glossary.htm#1020903">certificate authority (CA)</a> that issued the certificate. If you use Personal Security Manager to specify that you trust a CA, Personal Security Manager trusts valid certificates issued by that CA unless you specify otherwise in the settings for individual certificates. You use the Authorities panel of the Certificates tab in Personal Security Manager to specify the kinds of certificates you trust or don't trust different CAs to issue. <P>
</A>
<A NAME="1028719">
<B></B><a href="glossary.htm#1028962"></a><P>
</A>
</dl>
<BR>
&copy; Copyright 2000 Netscape Communications Corporation
</FONT> </CENTER>
<BR>
</BODY>
</HTML>

1105
security/psm/doc/help.htm
View File

File diff suppressed because it is too large Load Diff

343
security/psm/doc/license.txt
View File

@ -1,343 +0,0 @@
NETSCAPE CLIENT PRODUCTS LICENSE AGREEMENT
Redistribution Or Rental Not Permitted
These terms apply to Personal Security Manager.
BY CLICKING THE ACCEPTANCE BUTTON OR INSTALLING OR
USING PERSONAL SECURITY MANAGER SOFTWARE (THE "PRODUCT"),
THE INDIVIDUAL OR ENTITY LICENSING THE PRODUCT
("LICENSEE") IS CONSENTING TO BE BOUND BY AND IS
BECOMING A PARTY TO THIS AGREEMENT. IF LICENSEE DOES
NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THE
BUTTON INDICATING NON-ACCEPTANCE MUST BE
SELECTED, AND LICENSEE MUST NOT INSTALL OR USE
THE SOFTWARE.
1. LICENSE AGREEMENT. As used in this Agreement, for
residents of Europe, the Middle East or Africa,
"Netscape" shall mean Netscape Communications Ireland
Limited; for residents of Japan, "Netscape" shall
mean Netscape Communications (Japan), Ltd.; for
residents of all other countries, "Netscape" shall
mean Netscape Communications Corporation. In this
Agreement "Licensor" shall mean Netscape except under
the following circumstances: (i) if Licensee acquired
the Product as a bundled component of a third party
product or service, then such third party shall be
Licensor; and (ii) if any third party software is
included as part of the default installation and no
license is presented for acceptance the first time
that third party software is invoked, then the use of
that third party software shall be governed by this
Agreement, but the term "Licensor," with respect to
such third party software, shall mean the
manufacturer of that software and not Netscape. With
the exception of the situation described in (ii)
above, the use of any included third party software
product shall be governed by the third party's
license agreement and not by this Agreement, whether
that license agreement is presented for acceptance
the first time that the third party software is
invoked, is included in a file in electronic form, or
is included in the package in printed form. If more
than one license agreement was provided for the
Product, and the terms vary, the order of precedence
of those license agreements is as follows: a signed
agreement, a license agreement available for review
on the Netscape website, a printed or electronic
agreement that states clearly that it supersedes
other agreements, a printed agreement provided with
the Product, an electronic agreement provided with
the Product.
2. LICENSE GRANT. Licensor grants Licensee a
non-exclusive and non-transferable license to
reproduce and use for personal or internal business
purposes the executable code version of the Product,
provided any copy must contain all of the original
proprietary notices. This license does not entitle
Licensee to receive from Netscape hard-copy
documentation, technical support, telephone
assistance, or enhancements or updates to the
Product. Licensee may not customize the Product
unless Licensee has also licensed the Netscape
Client Customization Kit ("CCK"), and then only to
the extent permitted in the license agreement for CCK,
as applicable. Licensee may not redistribute the
Product unless Licensee has separately entered into a
distribution agreement with Netscape such as the
Unlimited Distribution Program Agreement.
3. RESTRICTIONS. Except as otherwise expressly
permitted in this Agreement, or in another Netscape
agreement to which Licensee is a party such as the
CCK license agreement or a distribution agreement,
Licensee may not: (i) modify or create any derivative
works of the Product or documentation, including translation
or localization; (ii) decompile, disassemble, reverse engineer,
or otherwise attempt to derive the source code for the
Product (except to the extent applicable laws
specifically prohibit such restriction or as provided by the
Netscape Public License or Mozilla Public License
for portions of the product governed by those licenses);
(iii) redistribute, encumber, sell, rent, lease,
sublicense, or otherwise transfer rights to the
Product; (iv) remove or alter any trademark, logo,
copyright or other proprietary notices, legends,
symbols or labels in the Product; or (v) publish any
results of benchmark tests run on the Product to a
third party without Netscape's prior written
consent.
4. FEES. There is no license fee for the Product.
If Licensee wishes to receive the Product on media,
there may be a small charge for the media and for
shipping and handling. Licensee is responsible for
any and all taxes.
5. TERMINATION. Without prejudice to any other
rights, Licensor may terminate this Agreement if
Licensee breaches any of its terms and conditions.
Upon termination, Licensee shall destroy all copies
of the Product.
6. PROPRIETARY RIGHTS. Title, ownership rights, and
intellectual property rights in the Product shall
remain in Netscape and/or its suppliers. Licensee
acknowledges such ownership and intellectual property
rights and will not take any action to jeopardize,
limit or interfere in any manner with Netscape's or
its suppliers' ownership of or rights with respect to
the Product. The Product is protected by copyright
and other intellectual property laws and by
international treaties. Title and related rights in
the content accessed through the Product is the
property of the applicable content owner and is
protected by applicable law. The license granted
under this Agreement gives Licensee no rights to such
content.
7. USE AND AVAILABILITY OF OPEN SOURCE
CODE. Portions of Personal Security Manager were created using source
code governed by the Netscape Public License (NPL) and
the Mozilla Public License (MPL). The source code for
the portions of Personal Security Manager governed by the NPL and MPL
is available from http://www.mozilla.org under those licenses.
8. DISCLAIMER OF WARRANTY. THE PRODUCT IS PROVIDED
FREE OF CHARGE, AND, THEREFORE, ON AN "AS IS" BASIS,
WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT
LIMITATION THE WARRANTIES THAT IT IS FREE OF DEFECTS,
MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR
NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY
AND PERFORMANCE OF THE PRODUCT IS BORNE BY LICENSEE.
SHOULD THE PRODUCT PROVE DEFECTIVE IN ANY RESPECT,
LICENSEE AND NOT LICENSOR OR ITS SUPPLIERS OR
RESELLERS OR ANY CONTRIBUTORS TO THE SOURCE CODE
OF THE PORTIONS OF PERSONAL SECURITY MANAGER AVAILABLE FROM
HTTP://WWW.MOZILLA.ORG ASSUMES THE ENTIRE COST
OF ANY SERVICE AND REPAIR. IN ADDITION, THE SECURITY
MECHANISMS IMPLEMENTED BY THE PRODUCT HAVE
INHERENT LIMITATIONS, AND LICENSEE MUST DETERMINE
THAT THE PRODUCT SUFFICIENTLY MEETS ITS REQUIREMENTS.
THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL
PART OF THIS AGREEMENT. NO USE OF THE PRODUCT IS
AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
9. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT
PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL
LICENSOR OR ITS SUPPLIERS OR RESELLERS OR ANY
CONTRIBUTORS TO THE SOURCE CODE OF THE PORTIONS OF
PERSONAL SECURITY MANAGER AVAILABLE FROM
HTTP://WWW.MOZILLA.ORG BE LIABLE FOR
ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES ARISING OUT OF THE USE OF OR INABILITY TO USE
THE PRODUCT, INCLUDING, WITHOUT LIMITATION, DAMAGES
FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE
OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL
DAMAGES OR LOSSES, EVEN IF ADVISED OF THE POSSIBILITY
THEREOF, AND REGARDLESS OF THE LEGAL OR EQUITABLE
THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH THE
CLAIM IS BASED. IN ANY CASE, LICENSOR'S ENTIRE
LIABILITY UNDER ANY PROVISION OF THIS AGREEMENT SHALL
NOT EXCEED IN THE AGGREGATE THE SUM OF THE FEES
LICENSEE PAID FOR THIS LICENSE (IF ANY) AND FEES FOR
SUPPORT OF THE PRODUCT RECEIVED BY NETSCAPE UNDER A
SEPARATE SUPPORT AGREEMENT (IF ANY), WITH THE
EXCEPTION OF DEATH OR PERSONAL INJURY CAUSED BY THE
NEGLIGENCE OF LICENSOR TO THE EXTENT APPLICABLE LAW
PROHIBITS THE LIMITATION OF DAMAGES IN SUCH CASES.
SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO
THIS EXCLUSION AND LIMITATION MAY NOT BE APPLICABLE.
NETSCAPE IS NOT RESPONSIBLE FOR ANY LIABILITY ARISING
OUT OF CONTENT PROVIDED BY LICENSEE OR A THIRD PARTY
THAT IS ACCESSED THROUGH THE PRODUCT AND/OR ANY
MATERIAL LINKED THROUGH SUCH CONTENT.
10. ENCRYPTION. If Licensee wishes to use the
cryptographic features of the Product, then Licensee
may need to obtain and install a signed digital
certificate from a certificate authority or a
certificate server. Licensee may be charged
additional fees for certification services. Licensee
is responsible for maintaining the security of the
environment in which the Product is used and the
integrity of the private key file used with the
Product. In addition, the use of digital
certificates is subject to the terms specified by the
certificate provider, and there are inherent
limitations in the capabilities of digital
certificates. If Licensee is sending or receiving
digital certificates, Licensee is responsible for
familiarizing itself with and evaluating such terms
and limitations. If the Product is a version with
FORTEZZA, Licensee will need to obtain PC Card
Readers and FORTEZZA Crypto Cards from another vendor
to enable the FORTEZZA features.
11. EXPORT CONTROL. Licensee agrees to comply with
all export laws and restrictions and regulations of
the United States or foreign agencies or authorities,
and not to export or re-export the Product or any
direct product thereof in violation of any such
restrictions, laws or regulations, or without all
necessary approvals. As applicable, each party shall
obtain and bear all expenses relating to any
necessary licenses and/or exemptions with respect to
its own export of the Product from the U.S. Neither
the Product nor the underlying information or
technology may be downloaded or otherwise exported or
re-exported (i) into Cuba, Iran, Iraq, Libya, North
Korea, Sudan, Syria or any other country subject to
U.S. trade sanctions covering the Product, to
individuals or entities controlled by such countries,
or to nationals or residents of such countries other
than nationals who are lawfully admitted permanent
residents of countries not subject to such sanctions;
or (ii) to anyone on the U.S. Treasury Department's
list of Specially Designated Nationals and Blocked
Persons or the U.S. Commerce Department's Table of
Denial Orders. By downloading or using the Product,
Licensee agrees to the foregoing and represents and
warrants that it complies with these conditions.
12. HIGH RISK ACTIVITIES. The Product is not
fault-tolerant and is not designed, manufactured or
intended for use or resale as on-line control
equipment in hazardous environments requiring
fail-safe performance, such as in the operation of
nuclear facilities, aircraft navigation or
communication systems, air traffic control, direct
life support machines, or weapons systems, in which
the failure of the Product could lead directly to
death, personal injury, or severe physical or
environmental damage ("High Risk Activities").
Accordingly, Licensor and its suppliers specifically
disclaim any express or implied warranty of fitness
for High Risk Activities. Licensee agrees that
Licensor and its suppliers will not be liable for any
claims or damages arising from the use of the Product
in such applications.
13. U.S. GOVERNMENT END USERS. The Product is a
"commercial item," as that term is defined in 48
C.F.R. 2.101 (Oct. 1995), consisting of "commercial
computer software" and "commercial computer software
documentation," as such terms are used in 48 C.F.R.
12.212 (Sept. 1995). Consistent with 48 C.F.R.
12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4
(June 1995), all U.S. Government End Users acquire
the Product with only those rights set forth herein.
13. MISCELLANEOUS. (a) This Agreement constitutes
the entire agreement between the parties concerning
the subject matter hereof. (b) This Agreement may be
amended only by a writing signed by both parties.
(c) Except to the extent applicable law, if any,
provides otherwise, this Agreement shall be governed
by the laws of the State of California, U.S.A.,
excluding its conflict of law provisions. (d) Unless
otherwise agreed in writing, all disputes relating to
this Agreement (excepting any dispute relating to
intellectual property rights) shall be subject to
final and binding arbitration in Santa Clara County,
California, under the auspices of JAMS/EndDispute,
with the losing party paying all costs of
arbitration. (e) This Agreement shall not be
governed by the United Nations Convention on
Contracts for the International Sale of Goods. (f)
If any provision in this Agreement should be held
illegal or unenforceable by a court having
jurisdiction, such provision shall be modified to the
extent necessary to render it enforceable without
losing its intent, or severed from this Agreement if
no such modification is possible, and other
provisions of this Agreement shall remain in full
force and effect. (g) The controlling language of
this Agreement is English. If Licensee has received
a translation into another language, it has been
provided for Licensee's convenience only. (h) A
waiver by either party of any term or condition of
this Agreement or any breach thereof, in any one
instance, shall not waive such term or condition or
any subsequent breach thereof. (i) The provisions of
this Agreement which require or contemplate
performance after the expiration or termination of
this Agreement shall be enforceable notwithstanding
said expiration or termination. (j) Licensee may not
assign or otherwise transfer by operation of law or
otherwise this Agreement or any rights or obligations
herein except in the case of a merger or the sale of
all or substantially all of Licensee's assets to
another entity. (k) This Agreement shall be binding
upon and shall inure to the benefit of the parties,
their successors and permitted assigns. (l) Neither
party shall be in default or be liable for any delay,
failure in performance (excepting the obligation to
pay) or interruption of service resulting directly or
indirectly from any cause beyond its reasonable
control. (m) The relationship between Licensor and
Licensee is that of independent contractors and
neither Licensee nor its agents shall have any
authority to bind Licensor in any way. (n) If any
dispute arises under this Agreement, the prevailing
party shall be reimbursed by the other party for any
and all legal fees and costs associated therewith.
(o) If any Netscape professional services are being
provided, then such professional services are
provided pursuant to the terms of a separate
Professional Services Agreement between Netscape and
Licensee. The parties acknowledge that such services
are acquired independently of the Product licensed
hereunder, and that provision of such services is not
essential to the functionality of such Product. (p)
The headings to the sections of this Agreement are
used for convenience only and shall have no
substantive meaning. (q) Licensor may use Licensee's
name in any customer reference list or in any press
release issued by Licensor regarding the licensing of
the Product and/or provide Licensee's name and the
names of the Product licensed by Licensee to third
parties.
14. LICENSEE OUTSIDE THE U.S. If Licensee is located
outside the U.S., then the provisions of this Section
shall apply. (i) Les parties aux presentes
confirment leur volonte que cette convention de meme
que tous les documents y compris tout avis qui s'y
rattache, soient rediges en langue anglaise.
(translation: "The parties confirm that this
Agreement and all related documentation is and will
be in the English language.") (ii) Licensee is
responsible for complying with any local laws in its
jurisdiction which might impact its right to import,
export or use the Product, and Licensee represents
that it has complied with any regulations or
registration procedures required by applicable law to
make this license enforceable.
Netscape Client Software EULA Rev. [022500]

BIN
security/psm/doc/next.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 B

BIN
security/psm/doc/prev.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 90 B

29
security/psm/doc/psmtest.html
View File

@ -1,29 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<head>
<title>Personal Security Manager Detection Page</title>
<script language=javascript>
function init_title()
{
with(window.frames.the_frame) {
document.write('<BODY><H1>Personal Security Manager Detection Page</H1><P><P>');
if (typeof(crypto.version) == "undefined") {
document.write('<FONT color="#ff0000">Personal Security Manager not loaded</FONT>');
} else {
document.write('<FONT color="#007700">Personal Security Manager&nbsp;Running&nbsp;(version ', crypto.version);
document.write(')</FONT>');
}
document.write('</BODY>');
document.close();
}
}
</script>
</head>
<frameset rows="*,1" border=0 onload="init_title()">
<frame src="about:blank" name="the_frame">
<frame src="about:blank">
</frameset>

297
security/psm/doc/release_notes.html
View File

@ -1,297 +0,0 @@
<!DOCTYPE html PUBLIC "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.75 [en] (WinNT; U) [Netscape]">
<meta name="Author" content="Sean Cotter">
<title>Personal Security Manager Release Notes</title>
</head>
<body>
<center>
<h1><img src="bannerrn.gif" height="32" width="468" align="Center"></h1>
</center>
<center>
<h2>Netscape Personal Security Manager</h2>
</center>
<center>
<h2>Release 1.4</h2>
</center>
<center>
<h2>12/18/2000</h2>
</center>
<center>
<hr width="100%"></center>
These release notes contain the most recent information about this release
of Netscape Personal Security Manager. Please read these notes before using
the software.
<p>These notes include information for IS professionals who are thoroughly
familiar with security and public-key infrastructure (PKI) issues.</p>
<p>Use of this product is subject to the terms detailed in the license agreement
at <a href="http://docs.iplanet.com/docs/manuals/psm/14/license.txt.">http://docs.iplanet.com/docs/manuals/psm/14/license.txt.</a></p>
<p></p>
<hr width="100%">
<h2>Contents</h2>
<a href="#Documentation">Documentation</a><br>
<a href="#Changes Since PSM 1.3">Changes Since Personal Security Manager 1.3</a>
<br>
<a href="#Software/Hardware Requirements">Software/Hardware Requirements</a>
<br>
<a href="#unpacking">Installing Personal Security Manager</a><br>
<a href="#Using the Test Bed">Using Personal Security Manager</a><br>
<a href="#Known Bugs/Issues for 14 Release">Known Bugs/Issues for Personal
Security Manager 1.4</a><br>
<a href="#Feedback">Feedback</a>
<p></p>
<hr width="100%">
<h2><a name="Documentation"></a>Documentation</h2>
The following documentation is available with Personal Security Manager:
<ul>
<li><a href="contents.htm">Personal Security Manager Help</a> -- This online
help system can also be accessed by clicking the Help button in any personal
Security Manager window.</li>
<li><a href="cmcjavascriptapi.html">JavaScript API for Client Certificate
Management</a> -- This reference describes a new Javascript API for performing
user certificate management operations with Personal Security Manager, including
one-click issuance, forced certificate backup by end users, and automatic
archival of encryption private keys.</li>
</ul>
For the latest release notes, deployment guide, and other information,see
<a href="http://docs.iPlanet.com/docs/manuals/psm.html">http://docs.iPlanet.com/docs/manuals/psm.html</a><a href="http://developer.iPlanet.com/docs/manuals/psm.html">
.</a>
<p></p>
<hr width="100%">
<h2><a name="Changes Since PSM 1.3"></a>Changes Since Personal Security Manager
1.3</h2>
The <a href="http://www.ietf.org/rfc/rfc2246.txt">Transport Layer Security
(TLS)</a> protocol is turned on by default in Personal Security Manager1.4.
To turn TLS off, open Personal Security Manager, click the Advanced tab, click
Options in the left frame, then deselect the checkbox labeled "Enable TLS."
<p>TLS is an IETF standard based on the Secure Sockets Layer (SSL) protocol.
It can be thought of as SSL version 3.1. Some servers that do not implement
SSL correctly cannot negotiate the SSL handshake with client software (such
as Personal Security Manager) that supports TLS. To allow Personal Security
Manager to use SSL with such TLS-intolerant servers, you must disable TLS
as described above.</p>
<p>Most other changes since Personal Security Manager 1.3 involve minor bug
fixes and optimizations.</p>
<p>This version of Netscape Personal Security Manager ships with Netscape
6 and also works with Mozilla and Communicator 4.7x. </p>
<p></p>
<hr width="100%">
<h4><a name="Software/Hardware Requirements"></a><font size="+2">Software/Hardware
Requirements</font></h4>
<b>Operating systems supported:</b> Windows NT, Windows 95, Windows 98, Windows
2000; Solaris 2.6, 2.7, 2.8; and Red Hat Linux 6.1.
<p></p>
<hr width="100%">
<h2><a name="unpacking"></a>Installing Personal Security Manager</h2>
Netscape Personal Security Manager 1.4 is installed with Netscape 6 and recent versions
of Mozilla.
<p>When you install Netscape 6 on Windows, Personal Security Manager is installed
in the directory <tt>C:\Program Files\Common Files\Netscape Shared\Security\</tt>.
<p>When you install Netscape 6 on Unix, Personal Security Manager is installed
in a directory called <tt>psm</tt> in the same directory where the <tt>netscape</tt>
executable resides.<br>
<p>The sections that follow describe how to install the Personal Security Manager
files for use with Communicator 4.7x.</p>
<h3>Installing on Windows 95/98/2000/NT for Use With Communicator 4.7x</h3>
To install Netscape Personal Security Manager on Windows 95/98/2000/NT for use with
Communicator 4.7 or later, save the file in a convenient location with the
specified filename, then drag the file's icon into a Navigator window (that
is, a browser window displayed by Communicator). Dropping the file's icon
over the browser window initiates SmartUpdate, which automatically installs
Personal Security Manager. Afterinstallation is complete, exit Communicator
and relaunch it. If your copy of Communicator is installed in the default
location, SmartUpdate installs the Personal Security Manager files in the
directory<tt>C:\Program Files\CommonFiles\Netscape Shared\Security\</tt>
and adds the file <tt>cmnav.dll</tt>in the directory <tt>C:\Program Files\Netscape\Communicator\Program</tt>.<br>
<h3>Installing on Unix for Use With Communicator 4.7x</h3>
To install Personal Security Manager for use with Communicator 4.7 or later on Unix, you
must be logged in as the same Unix user you will be logged in as when you
run Communicator. For the Unix installation to succeed, you must have write
privileges for both the directory where the Netscape executable resides and
the directory where the installation script creates the directory containing
the Personal Security Manager files. To install Personal Security Manager for
use with Communicator 4.7x, download the tar file for the version of the product
that you want to install and follow these steps:<br>
<ol>
<li>Exit Communicator, if it is running.</li>
<li>Decompress the downloaded file to some convenient location.</li>
<li>Run the psm-install program.</li>
</ol>
The psm-install program allows you to specify the directory in which Personal
Security Manager will be installed. In this release, you must install Personal
Security Manager locally. To do so, you can either install it in the default
location (<tt>/opt/netscape/security</tt>) or in some other local location. However,
if you install Personal Security Manager anywhere other than the default
location, Communicator must also be installed locally. To run Personal Security
Manager on Unix, you must be logged in as the same Unix user you were logged
in as when you installed it.<br>
<h3>Disabling Personal Security Manager</h3>
To <b>disable</b> Personal Security Manager temporarily, exit the browser,
then:
<ul>
<li>on Unix, remove the directory<tt>psm</tt> from the directory where
the<tt>netscape</tt>executable resides.</li>
<li>on Windows, rename the directory <tt>C:\Program Files\Common Files\Netscape
Shared\Security</tt> to something else.</li>
</ul>
<hr width="100%">
<h2><a name="Using the Test Bed"></a>Using Personal Security Manager</h2>
The sections that follow describe how to test some of the features of Personal
Security Manager that are available with this release:
<ul>
<li><a href="#Start Up Personal Security Manager with">Start Up Personal
SecurityManager with Netscape 6</a></li>
<li><a href="#Use SSL with Server Authentication">Test Basic SSL</a></li>
<li><a href="#Get a Certificate">Get an SSL Client Certificate</a></li>
<li><a href="#View Your Personal Certificate">View Your Certificate</a></li>
<li><a href="#Using Your Personal Certificate for Client">Test Client Authentication</a></li>
<li><a href="#Validate Certificates Using OSCP">Validate Certificates Using
OCSP</a></li>
</ul>
The sections that follow briefly describe how to test some of the features
listed above.
<p>For information on the JavaScript API supported by Personal SecurityManager,
see <a href="cmcjavascriptapi.html">JavaScript API for ClientCertificate
Management</a> and the Personal Security Manager DeploymentGuide. For the
latest versions of these documents, see <a href="http://docs.iPlanet.com/docs/manuals/psm.html">
http://docs.iPlanet.com/docs/manuals/psm.html</a>.</p>
<h3><a name="Start Up Personal Security Manager with"></a>Use Personal Security
Manager with Netscape 6</h3>
Personal Security Manager starts automatically the first time Netscape 6
needs to perform some action involving security, such as handling anSSL session.
<p>Follow these steps to view your security settings and confirm that&nbsp;
Personal Security Manager is running:</p>
<ol>
<li>Launch Netscape 6.</li>
<li>Choose Security &amp; Privacy from the Tasks menu, then choose Security
Manager to view your Personal Security Manager settings.</li>
<li>Close the Personal Security Manager window.</li>
<li>Go to the page <a href="psmtest.html">psmtest.html</a> (in the same
directoryas these release notes), then choose Page Source from the View menu
tosee the JavaScript code that a web programmer can use to detect Personal
Security Manager and its version number.</li>
</ol>
Note that the version number has two parts. The first is the version ofthe
PSM client library, and the second is the version of the PSM serverlibrary.
<br>
&nbsp;
<h3><a name="Use SSL with Server Authentication"></a>Test Basic SSL</h3>
Go to any online store, banking service, brokerage account, or other website
that supports SSL. Verify that the lock in the lower-left corner ofthe browser
window is closed when you reach the pages for which SSL shouldbe enabled,
for example a page where you are asked to give your creditcard number.
<h3><a name="Get a Certificate"></a>Get an SSL Client Certificate</h3>
Go to any public or private CA and apply for an SSL client certificate.
<p>To test one-click certificate issuance, dual key-pair certificates,and
other Personal Security Manager features, system administrators shoulddownload,
install, and configure Netscape Certificate Management System.For complete
CMS documentation and other information, see <a href="http://docs.iPlanet.com/docs/manuals/cms.html">
http://docs.iPlanet.com/docs/manuals/cms.html</a>.To download the latest
version of CMS, see <a href="http://www.iplanet.com/downloads/download/">
http://www.iplanet.com/downloads/download/</a>.</p>
<h3><a name="View Your Personal Certificate"></a>View Your Certificate</h3>
After you have obtained a certificate, follow these steps to view it:
<ol>
<li>Click the Security icon in the Navigator toolbar.</li>
<li>Click the Certificates tab.</li>
<li>Click to select your certificate.</li>
<li>Click View.</li>
</ol>
You should see information about your new certificate.
<h3><a name="Using Your Personal Certificate for Client"></a><font size="+1">
TestClient Authentication</font></h3>
Personal Security Manager allows the SSL server and client to negotiatewhich
certificate to use, and in most cases they can agree on a singlecorrect certificate
for the client to present. When this happens, the usercan access an SSL site
that requires client authentication with zero additionalclicks.
<p>To test client authentication with Netscape Enterprise Server, systemadministrators
should follow these steps:</p>
<ul>
<li>Install an Enterprise Server and configure it for client authentication
as described in <a href="http://docs.iplanet.com/docs/manuals/cms/41/dep_gide/entsrv.htm">
AppendixD, Using SSL with Enterprise Server 3.x</a>, of <i>Netscape Certificate
Management System Installation and Deployment Guide</i>.</li>
<li>Test the Enterprise Server installation as described at the end of
AppendixD using Personal Security Manager.</li>
</ul>
<h3><a name="Validate Certificates Using OSCP"></a>Validate Certificates
UsingOSCP</h3>
Personal Security Manager supports the use of the On-Line Certificate Status
Protocol (OSCP) to check the validity of certificates in real time. Information
about this protocol and how configure Personal Security Manager 1.3 andNetscape
Certificate Management System 4.2 to support it is available from<a href="http://docs.iPlanet.com/docs/manuals/psm/12/psmdply.htm">
http://docs.iPlanet.com/docs/manuals/psm/12/psmdply.htm</a>
<p>It's important to note that Personal Security Manager will accept signatures
from responders only under the following conditions:</p>
<ul>
<li>The response was signed by a delegated responder--that is, the responder's
certificate was signed by the same CA as the certificate&nbsp; you're trying
to verify and has the <tt>extendedKeyUsage</tt> bit set indicating thatthe
certificate is an OCSP response signer. The certificate should be thesame
as a CA certificate with the addition of the <tt>extendedKeyUsage</tt>bit.</li>
<li>The user has designated a default responder in the OCSP Settings dialog
box (available from the Advanced tab under Options).</li>
</ul>
Common problems include the following:
<ul>
<li>Time drift between the client and server machine. Personal Security
Managerexpects the time of the response to be within the past 24 hours. If
thereis a difference in the clocks between the machine used to sign the response,
so the response looks to Personal Security Manager like it was signed inthe
future, Personal Security Manager interprets this as an error. Runntp on
both machines to fix this problem.</li>
<li>The response doesn't include the certificates required to complete
thechain needed to verify the signer's certificate. The client frequently
doesn't have all the certificates in the database that are needed to verify
the signer's certificate, in which case Personal Security Manager can'tverify
the signer's certificate and OCSP fails. Make sure the entire chainis included
with every response. This is the safest way to avoid this problem.</li>
<li>If you are using ValiCert, misconfiguration may cause the Validation
Authoritynot to send the certificate chain (including the CA root certificate
andthe OCSP responder's certificate) correctly.</li>
</ul>
<hr width="100%">
<h2><a name="Known Bugs/Issues for 14 Release"></a>Known Bugs/Issues for
Personal Security Manager 1.4</h2>
<ul>
<li>To run Personal Security Manager on Unix with Netscape 6 or Communicator,
you must be logged in as thesame Unix user you were logged in as when the
browser was installed.</li>
<li>FORTEZZA is not guaranteed to work with this release. [# 94220]</li>
<li>In some unusual circumstances you may encounter problems such as valid
certificates not being verified or the browser freezing up. If you encounter
a problem that doesn't appear to have a logical explanation, try the following
as a last resort:</li>
<ol>
<li>Exit the browser, then relaunch it. If necessary, use Control-Alt-Delete
on Windows 95/98/2000/NT to bring up the Task Manager and click End Process
for both <tt>psm.exe</tt> and <tt>netscp6.exe</tt>.</li>
<li><b>Warning:</b> <b>Before taking this step, back up your own certificates
stored internally by Personal Security Manager.</b> If exiting and relaunching
the browser doesn't take care of the problem, in some rare cases it maywork
to exit the browser, then delete or rename your <tt>cert7.db</tt> and<tt>
key3.db</tt>files (located in your user profile directory on Windows 95/98/2000/NT,
or in the directory in which the Netscape or Mozilla executable resideson
Unix) and relaunch the browser. You should also look for all otherfiles in
the same directory that begin with <tt>cert</tt> or<tt>key</tt>and end in
<tt>.db</tt> and delete those files as well before relaunchingthe browser.</li>
</ol>
</ul>
<hr width="100%">
<h2><a name="Feedback"></a>Feedback</h2>
To send feedback to the Personal Security Manager development team, send email
to <a href="mailto:psmfeedback@netscape.com">psmfeedback@netscape.com</a>.
Feedback back sent to this address will be read by the team, but you will
not receive a personal response.
</body>
</html>