How to Disable Smart Card or Certificate Settings - PowerPoint

Document Sample
How to Disable Smart Card or Certificate Settings - PowerPoint Powered By Docstoc
					         Tarefa Prática

Mozilla Thunderbird Email
OpenPGP

OpenPGP is also based on PGP.
S/MIME

S/MIME was originally developed by RSA
 Data Security, Inc.

It is based on the PKCS #7 data format
 for the messages, and the X.509v3
 format for certificates.

PKCS #7, in turn, is based on the ASN.1.
PKCS#7
 In cryptography, PKCS refers to a group of Public Key
  Cryptography Standards devised and published by
  RSA Security.
 Cryptographic Message Syntax Standard.
 See RFC 2315.
 Used to sign and/or encrypt messages under a PKI.
 Used also for certificate dissemination (for instance as a
  response to a PKCS#10 message - Certification Request
  Standard).
 Formed the basis for S/MIME, which is now based on
  RFC 3852, an updated Cryptographic Message Syntax
  Standard (CMS).
PGP/MIME

PGP/MIME is based on PGP, which was
 developed by many individuals, some of
 whom have now joined together as PGP,
 Inc.

The message and certificate formats
 were created from scratch, and use
 simple binary encoding.
S/MIME, OpenPGP and PGP/MIME

 PGP/MIME, S/MIME and OpenPGP use MIME
  to structure their messages.

 They rely on the multipart/signed MIME type that
  is described in RFC 1847 for moving signed
  messages over the Internet.

 A single mail client could conceivably accept
  and send both formats.
About Digital Signatures & Encryption


When you compose a mail message, you
 can choose to attach your digital signature
 to it.

A digital signature allows recipients of the
 message to verify that the message really
 comes from you and hasn't been tampered
 with since you sent it.
When you compose a mail message, you
 can also choose to encrypt it. Encryption
 makes it very difficult for anyone other
 than the intended recipient to read the
 message while it is in transit over the
 Internet.
Before you can sign or encrypt a
 message, you must take these preliminary
 steps:
  Obtain one or more certificates (the digital
   equivalents of ID cards). For details, see
   Getting Your Own Certificate.
  Configure the security settings for your email
   account. For details, see Configuring Your
   Security Settings.
Certificates
Getting Your Own Certificate

Much like a credit card or a driver's
 license, a certificate is a form of
 identification you can use to identify
 yourself over the Internet and other
 networks.
Getting Your Own Certificate

Like other commonly used personal IDs, a
 certificate is typically issued by an
 organization with recognized authority to
 issue such identification.

An organization that issues certificates is
 called a certificate authority (CA).
Getting Your Own Certificate


You can obtain certificates that identify
 you from public CAs, from system
 administrators or special CAs within your
 organization, or from web sites offering
 specialized services that require a means
 of identification more reliable that your
 name and password.
Getting Your Own Certificate


Just as the requirements for a driver's
 license vary depending on the type of
 vehicle you want to drive, the
 requirements for obtaining a certificate
 vary depending on what you want to use it
 for.
Getting Your Own Certificate

In some cases getting a certificate may be
 as easy as going to a web site, entering
 some personal information, and
 automatically downloading the certificate
 into your browser.

In other cases you may have to go through
 more complicated procedures.
Getting Your Own Certificate


You can obtain a certificate today by
 visiting the URL for a certificate authority
 and following the on-screen instructions.
 For a list of certificate authorities, see the
 online document Client Certificates.
Getting Your Own Certificate

Once you obtain a certificate, it is
 automatically stored in a security device.
 Your browser comes with its own built-in
 Software Security Device.

A security device can also be a piece of
 hardware, such as a smart card.
Getting Your Own Certificate
Like a driver's license or a credit card, a
 certificate is a valuable form of
 identification that can be abused if it falls
 into the wrong hands.

Once you've obtained a certificate that
 identifies you, you should protect it in two
 ways: by backing it up and by setting your
 master password.
Getting Your Own Certificate
When you first obtain a certificate, you
 may be prompted to back it up.

If you haven't yet created a master
 password, you will be asked to create one.

For detailed information about backing up
 a certificate and setting your master
 password, see Your Certificates.
Getting Your Own Certificate
Managing Certificates

You can use the Certificate Manager to
 manage the certificates you have
 available.

Certificates may be stored on your
 computer's hard disk or on smart cards or
 other security devices attached to your
 computer.
Managing Certificates
To open the Certificate Manager:
  Open the Edit menu (Mozilla menu on Mac OS
   X) and choose Preferences.
  Under the Privacy & Security category, click
   Certificates. (If no subcategories are visible,
   double-click Privacy & Security to expand the
   list.)
In the Manage Certificates section, click
 Manage Certificates. You see the
 Certificate Manager.
Managing Certificates that Identify You

 When you first open the Certificate Manager,
  you'll notice that it has several tabs across the
  top of its window.

 The first tab is called Your Certificates, and it
  displays the certificates your browser has
  available that identify you.

 Your certificates are listed under the names of
  the organizations that issued them.
Managing Certificates that Identify You

 To perform an action on one or more certificates,
  click the entry for the certificate (or Control-click
  to select more than one), then click the View,
  Backup, or Delete button.

 Each of these buttons brings up another window
  that allows you to perform the action.

 Click the Help button in any window to obtain
  more information about using that window.
Managing Certificates that Identify You

The following buttons under Your
 Certificates don't require a certificate to be
 selected. You use them to perform these
 actions:
  Import. Click this button if you want to import a
   certificate that you've previously backed up or
   transferred from one machine to another.
  Backup All. Click this button to back up all your
   own certificates stored in the Software Security
   Device.
Managing Certificates that Identify You

 Certificates on smart cards cannot be backed up.

 Whether you select some of your certificates and click
  Backup, or click Backup All, the resulting backup file will
  not include any certificates stored on smart cards or
  other external security devices.

 You can only back up certificates that are stored on the
  built-in Software Security Device.

 For more details about any of these tasks, see Your
  Certificates.
Managing Certificates that Identify
Others

When you compose a mail message, you
 can choose to attach your digital signature
 to it.

A digital signature allows recipients of the
 message to verify that the message really
 comes from you and hasn't been tampered
 with since you sent it.
Managing Certificates that Identify
Others

Every time you send a digitally signed
 message, your encryption certificate is
 automatically included with the message.

This certificate allows the message
 recipients to send you encrypted
 messages.
Managing Certificates that Identify
Others

One of the easiest ways to obtain
 someone else's encryption certificate is for
 that person to send you a digitally signed
 message.

Certificate Manager automatically stores
 other people's certificates whenever they
 are received in this way.
Managing Certificates that Identify
Others

 To view all the certificates identifying other
  people that are available to the Certificate
  Manager, click the Other People's tab at the top
  of the Certificate Manager window.

 You can send encrypted messages to anyone
  for whom a valid certificate is listed. Certificates
  are listed under the names of the organizations
  that issued them.
Managing Certificates that Identify
Others


To perform an action on one or more
 certificates, click the entry for the
 certificate (or Control-click to select more
 than one), then click the View or Delete
 button.
Managing Certificates that Identify
Others

 Each of these buttons brings up another window
  that allows you to perform the action.

 Click the Help button in any window to obtain
  more information about using that window.

 For more details, see Other People's
 Certificates.
Managing Certificates that Identify
Web Sites


Some web sites use certificates to identify
 themselves. Such identification is required
 before the web site can encrypt
 information transferred between the site
 and your computer (or vice versa), so that
 no one can read the data while in transit.
Managing Certificates that Identify
Web Sites

 If the URL for a web site begins with https://, the
  web site has a certificate.

 If you visit such a web site and its certificate was
  issued by a CA that the Certificate Manager
  doesn't know about or doesn't trust, you will be
  asked whether you want to accept the web site's
  certificate.

 When you accept a new web site certificate, the
  Certificate Manager adds it to its list of web site
  certificates.
Managing Certificates that Identify
Web Sites

To view all the web site certificates
 available to your browser, click the Web
 Sites tab at the top of the Certificate
 Manager window.
Managing Certificates that Identify
Web Sites

To perform an action on one or more web
 site certificates, click the entry for the
 certificate (or Shift-click to select more
 than one), then click the View, Edit, or
 Delete button.

Each of these buttons brings up another
 window that allows you to perform the
 corresponding action.
Managing Certificates that Identify
Web Sites

The Edit button allows you to specify
 whether your browser will trust the
 selected web site certificates in the future.

For more details, see Web Site
 Certificates.
Managing Certificates that Identify
Web Sites

 Like other commonly used forms of ID, a
  certificate is issued by an organization with
  recognized authority to issue such identification.

 An organization that issues certificates is called
  a certificate authority (CA).

 A certificate that identifies a CA is called a CA
  certificate.
Managing Certificates that Identify
Certificate Authorities

Certificate Manager typically has many CA
 certificates on file.

These CA certificates permit Certificate
 Manager to recognize and work with
 certificates issued by the corresponding
 CAs.
Managing Certificates that Identify
Certificate Authorities

However, the presence of a CA certificate
 in this list does not guarantee that the
 certificates it issues can be trusted.

You or your system administrator must
 make decisions about what kinds of
 certificates to trust depending on your
 security needs.
Managing Certificates that Identify
Certificate Authorities

To view all the CA certificates available to
 your browser, click the Authorities tab at
 the top of the Certificate Manager window.
Managing Certificates that Identify
Certificate Authorities

 To perform an action on one or more CA
  certificates, click the entry for the certificate (or
  Control-click to select more than one), then click
  the View, Edit, or Delete button.

 Each of these buttons brings up another window
  that allows you to perform the action.

 Click the Help button in any window to obtain
  more information about using that window.
Managing Certificates that Identify
Certificate Authorities

The Edit button allows you to view and
 control the trust settings for each
 certificate. Trust settings for a CA
 certificate let you to specify which kinds of
 certificates issued by that CA you are
 willing to trust.

For more details, see Authorities.
Managing Smart Cards and Other
Security Devices

A smart card is a small device, typically
 about the size of a credit card, that
 contains a microprocessor and is capable
 of storing information about your identity
 (such as your private keys and certificates)
 and performing cryptographic operations.
Managing Smart Cards and Other
Security Devices

To use a smart card, you typically need to
 have a smart card reader (a piece of
 hardware) attached to your computer, as
 well as software on your computer that
 controls the reader.
Managing Smart Cards and Other
Security Devices

A smart card is just one kind of security
 device. A security device (sometimes
 called a token) is a hardware or software
 device that provides cryptographic
 services and stores information about your
 identity. Use the Device Manager to work
 with smart cards and other security
 devices.
Managing Smart Cards and Other
Security Devices

In this section:
About Security Devices and Modules
Using Security Devices
Using Security Modules
Enable FIPS Mode
About Security Devices and Modules

The Device Manager displays a window
 that lists the available security devices.

You can use the Device Manager to
 manage any security devices, including
 smart cards, that support the Public Key
 Cryptography Standard (PKCS) #11.
Managing Smart Cards and Other
Security Devices

 A PKCS #11 module (sometimes called a
  security module) controls one or more security
  devices in much the same way that a software
  driver controls an external device such as a
  printer or modem.

 If you are installing a smart card, you must
  install the PKCS #11 module for the smart card
  on your computer as well as connecting the
  smart card reader.
Managing Smart Cards and Other
Security Devices




By default, the Device Manager controls
 two internal PKCS #11 modules that
 manage three security devices:
Managing Smart Cards and Other
Security Devices

Mozilla Internal PKCS #11 Module:
 Controls two security devices:

  Generic Crypto Services: A special security
   device that performs all cryptographic
   operations required by the Mozilla Internal
   PKCS #11 Module.
Managing Smart Cards and Other
Security Devices



  Software Security Device: Stores your
   certificates and keys that aren't stored on
   external security devices, including any CA
   certificates that you may have installed in
   addition to those that come with the browser.
Managing Smart Cards and Other
Security Devices


Builtin Roots Module: Controls a special
 security device called the Builtin Object
 Token.

This security device stores the default
 CA certificates that come with the browser.
Managing Smart Cards and Other
Security Devices
Using Security Devices



The Device Manager allows you to
 perform operations on security devices.

To open the Device Manager, follow these
 steps:
Using Security Devices

Open the Mozilla Edit menu and choose
 Preferences.
Under the Privacy & Security
 category, click Certificates. (If no
 subcategories are visible, double-click
 Privacy & Security to expand the list.)
In the Certificates panel, click
 Manage Security Devices.
Using Security Devices



The Device Manager lists each available
 PKCS #11 module in boldface, and the
 security devices managed by each module
 below its name.
Using Security Devices
When you select a security device,
 information about it appears in the middle
 of the Device Manager window, and some
 of the buttons on the right side of the
 window become available.

For example, if you select the Software
 Security Device, you can perform these
 actions:
Using Security Devices

 Click Login or Logout to log in or out of the
  Software Security Device.

    If you are logging in, you will be asked to supply the
     master password for the device.

    You must be logged into a security device before
     your browser software can use it to provide
     cryptographic services.
Using Security Devices



 Click Change Password to change the master
  password for the device.
Using Security Devices
You can perform these actions on most
 security devices.

However, you cannot perform them on the
 Builtin Object Token or Generic Crypto
 Services, which are special devices that
 must normally be available at all times.

For more details, see Device Manager.
Using Security Modules


If you want to use a smart card or other
 external security device, you must first
 install the module software on your
 computer and, if necessary, connect any
 associated hardware.

Follow the instructions that come with the
 hardware.
Using Security Modules
After a new module is installed on your
 computer, follow these steps to load it:

  Open the Edit menu (Mozilla menu on Mac OS
   X) and choose Preferences.

  Under the Privacy & Security category, click
   Certificates. (If no subcategories are visible,
   double-click Privacy & Security to expand the
   list.)
Using Security Modules
 In the Certificates panel, click Manage Security
  Devices.
 Click Load.
 In the Load PKCS #11 Module dialog box, click
  the Browse button, locate the module file, and
  click Open.
 Fill in the Module Name field with the name of
  the module and click OK.
Using Security Modules


The new module will then show up in the
 list of modules with the name you
 assigned to it.

To unload a PKCS #11 module, select its
 name and click Unload.
Enable FIPS Mode

 Federal Information Processing Standards Publications
  (FIPS PUBS) 140-1 is a US government standard for
  implementations of cryptographic modules.

 That is, hardware or software that encrypts and decrypts
  data or performs other cryptographic operations (such as
  creating or verifying digital signatures).

 Many products sold to the US government must comply
  with one or more of the FIPS standards.
Enable FIPS Mode

To enable FIPS mode for the browser, you
 use the Device Manager:
  Open the Edit menu (Mozilla menu on Mac OS
   X) and choose Preferences.
  Under the Privacy & Security category, click
   Certificates. (If no subcategories are visible,
   double-click Privacy & Security to expand the
   list.)
Enable FIPS Mode
   In the Certificates panel, click Manage
    Devices.
   Click the Enable FIPS button. When FIPS is
    enabled, the name NSS Internal PKCS #11
    Module changes to NSS Internal FIPS PKCS
    #11 Module and the Enable FIPS button
    changes to Disable FIPS.


 To disable FIPS-mode, click Disable
  FIPS.
Controlling Validation
 As discussed above under Get Your Own
  Certificate, a certificate is a form of identification,
  much like a driver's license, that you can use to
  identify yourself over the Internet and other
  networks. However, also like a driver's license, a
  certificate may expire or become invalid for
  some other reason. Therefore, your browser
  software needs to confirm the validity of any
  given certificate in some way before trusting it
  for identification purposes.
Controlling Validation
This section describes how Certificate
 Manager validates certificates and how to
 control that process. To understand the
 process, you should have some familiarity
 with public-key cryptography. If you are
 not familiar with the use of certificates, you
 should check with your system
 administrator before attempting to change
 any of your browser's certificate validation
 settings.
Controlling Validation


In this section:

  How Validation Works
  Managing CRLs
  Configuring OCSP
  Validation Settings
Controlling Validation
 How Validation Works

 Whenever you use or view a certificate stored by
  Certificate Manager, it takes several steps to verify the
  certificate.
  At a minimum, it confirms that the CA's digital signature
  on the certificate was created by a CA whose own
  certificate is
       (1) present in the Certificate Manager's list of
           available CA certificates and
       (2) marked as trusted for issuing the kind of
           certificate being verified.
Controlling Validation
 How Validation Works

 If the CA certificate is not itself present, the
  certificate chain for the CA certificate must
  include a higher-level CA certificate that is
  present and correctly trusted. Certificate
  Manager also confirms that the certificate being
  verified is currently marked as trusted in the
  certificate store. If any one of these checks fails,
  Certificate Manager marks the certificate as
  unverified and won't recognize the identity it
  certifies.
Controlling Validation
How Validation Works
A certificate can pass all these tests and
 still be compromised in some way; for
 example, the certificate may be revoked
 because an unauthorized person has
 gained access to the certificate's private
 key. A compromised certificate can allow
 an unauthorized person (or web site) to
 pretend to be the certificate owner.
Controlling Validation
 How Validation Works
 One way to combat this threat is for Certificate
  Manager to check a certificate revocation list
  (CRL) as part of the verification process (see
  Managing CRLs, below). Typically, you
  download a CRL to your browser by clicking a
  link. If a CRL is present, Certificate Manager
  checks any certificate issued by the same CA
  against the list as part of the verification process.
Controlling Validation
 How Validation Works

 The reliability of CRLs depends on the
  frequency with which they are both updated by a
  server and checked by a client. You can
  configure your Automatic CRL Update
  Preferences so that a CRL will be updated
  automatically at regular intervals with the version
  currently on the server.
Controlling Validation
How Validation Works

Another way to combat the threat of
 compromised certificates is to use a
 special server that supports the Online
 Certificate Status Protocol (OCSP). Such
 a server can answer client queries about
 individual certificates (see Configuring
 OCSP, below).
Controlling Validation
 How Validation Works

 The server, called an OCSP responder, receives
  an updated CRL periodically from the CA that
  issues the certificates to be verified.

 You can configure Certificate Manager to submit
  a status request for a certificate to the OCSP
  responder, and the OCSP responder confirms
  whether the certificate is valid.
Controlling Validation
Managing CRLs
A certificate revocation list (CRL) is list of
 revoked certificates.
A certificate authority (CA) might revoke a
 certificate, for example, if it has been
 compromised in some way—much the
 way a credit card company might revoke
 your credit card if you report that it's been
 stolen.
Controlling Validation

Managing CRLs
This section describes how to import and
 manage CRLs.
For background information, see How
 Validation Works.
For detailed descriptions of CRL settings
 that you can control, see Validation
 Settings.
Controlling Validation


Managing CRLs

In this section:
  About the "Next Update" Date
  Importing CRLs
  Viewing and Managing CRLs
Controlling Validation

Importing CRLs
You can import the latest CRL from a CA
 into your browser. To import a CRL, follow
 these steps:
  Go to the URL specified by the CA or by your
   system administrator and click the link for the
   CRL that you want to import.
  The Import Status dialog box appears.
Controlling Validation
  The next step depends on whether you click
   Yes or No in the Import Status dialog box:

    Yes: The Automatic CRL Update Preferences dialog
     box appears. In this case, go on to step 4.

    No: The Import Status dialog box closes. If you
     change your mind and decide to enable automatic
     updates after all, see Viewing and Managing CRLs.
     The Import Status dialog box appears.
Controlling Validation


Confirm that the CRL was imported
 successfully and that it's the one you
 wanted. In most cases you should also
 click Yes, which enables automatic
 updating of the CRL you just imported.
Controlling Validation
  Select the option labeled "Enable Automatic
   Update for this CRL".


Decide how you want to schedule the
 automatic updates:
  Update __ days before Next Update date:
   Select this option if you want to base the update
   frequency on the frequency with which the CRL
   publisher publishes a new version of the CRL.
Controlling Validation



  Update every __ days: Select this option if you
   want to specify an update interval unrelated to
   the CRL's Next Update date.


Click OK to confirm your choices.

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:54
posted:11/18/2010
language:English
pages:86
Description: How to Disable Smart Card or Certificate Settings document sample