This document is provided by Netscape for
your information only. It may help you take certain steps to
protect the privacy and security of your personal information on
the Internet. This document does not, however, address all online
privacy and security issues, nor does it represent a recommendation
by Netscape about what constitutes adequate privacy and security
protection on the Internet.
Validation Settings
This section describes how to set Validation preferences and how
to control Certificate Revocation List (CRL) settings.
For step-by-step descriptions of various tasks related to
validation and CRLs, see
How
Certificate Validation Works.
Privacy & Security Preferences - Validation
This section describes how to use the Validation Settings panel.
If you are not already viewing the panel, follow these steps:
- Open the Edit menu and choose Preferences.
- Under the Privacy & Security category, click Validation.
(If no subcategories are visible, double-click Privacy &
Security to expand the list.)
For background information on certificate validation, see
How
Certificate Validation Works.
CRL
A certificate revocation list (CRL) is a list of revoked
certificates that is generated and signed by a
certificate
authority (CA). It's possible to download a CRL to your
browser, which can check it to ensure that certificates are still
valid before permitting their use for authentication.
Click Manage CRLs to see a list of the CRLs available to
Certificate Manager.
For more information about managing CRLs, see
Managing
CRLs.
OCSP
The Online Certificate Status Protocol (OCSP) makes it possible
for Certificate Manager to perform an online check of a
certificate's validity each time the certificate is viewed or used.
This process involves checking the certificate against a
certificate revocation list (CRL) maintained at a specified web
site. Your computer must be online for OCSP to work.
To specify how Certificate Manager uses OCSP, choose one of
these settings in the OCSP section of Validation Settings:
- Do not use OCSP for certificate verification. Select
this setting if you don't want Certificate Manager to perform an
online status check each time it verifies a certificate. Instead,
whenever Certificate Manager performs
certificate verification, it
only confirms the certificate's validity period and that it is
correctly signed by a CA whose own CA certificate is both listed
under the CA Certificates tab (in the main Certificate Manager
window) and marked as trusted for issuing that kind of
certificate.
- Use OCSP to verify only certificates that specify an OCSP
service URL. Select this setting if you want Certificate
Manager perform an online status check each time it verifies a
certificate that specifies a URL for the purpose of performing such
a check. If a URL is specified by the certificate, Certificate
Manager makes sure that the certificate is listed there as valid
and checks the validity period and trust settings.
- Use OCSP to verify all certificates, using the URL and
signer specified here. Select this setting if you want
Certificate Manager to perform an online status check each time it
verifies any certificate. If you select this setting, you should
also choose the certificate from the Response Signer pop-up menu
that identifies the signer of the OCSP responses. With this
setting, the only certificates Certificate Manager recognizes are
those that can be verified by an OCSP response signed with the
Response Signer certificate (or signed using a certificate that
chains to it).
When you choose a Response Signer certificate from the pop-up
menu, Certificate Manager fills in the Service URL (if available)
for that signer automatically. If the Service URL is not filled in
automatically, you must provide it yourself; ask your system
administrator for details.
Manage CRLs
This section describes how to use the Manage CRLs dialog box. To
view it, follow these steps:
- Open the Edit menu and choose Preferences.
- Under the Privacy & Security category, click Validation.
(If no subcategories are visible, double-click Privacy &
Security to expand the list.)
- Click Manage CRLs.
This dialog box displays a list of the
CRLs
that you have downloaded for use by your browser. Typically, you
download a CRL by clicking a URL. FOr information about how CRLs
work, see Managing
CRLs.
To select a CRL, click it. You can then perform any of these
actions:
- Delete: Deletes the CRL permanently from your hard disk.
Don't do this unless you're sure you no longer need the CRL for
validating certificates. If in doubt, consult your system
administrator.
- Settings: Opens the
Automatic CRL Update
Preferences dialog box, which allows you to activate automatic
CRL updates for the selected CRL and specify how frequently they
should be performed.
- Update: Immediately updates the selected CRL (if
possible).
The Manage CRLs dialog box provides the following information
about each CRL:
- Organization (O): The name of the organization that
issued the CRL.
- Organizational Unit (OU): The name of the organizational
unit that issued the CRL (such as the root CA for a particular kind
of certificate).
- Last Update: The date on which the browser's copy of
this CRL was last updated.
- Next Update: The next date on which an updated version
of this CRL will be published by the CRL issuer.
- Auto Update: Indicates whether Auto Update has been
enabled for this CRL. To view the settings that control auto
updating, select the CRL and click Settings.
- Auto Update Status:
- If Auto Update has not been enabled, or if it has been enabled
but the next scheduled update has not yet occurrred, this field
will be blank.
- After at least one auto update has occurred, this field shows
"failed" if the most recent auto update failed, or "OK" if the most
recent auto update was successful.
CRL Import Status
This section describes how to use the CRL Import Status dialog
box, which appears when you first attempt to import a CRL or when
you successfully update it manually.
This dialog box informs you
- whether your attempt to import or update the CRL was
successful
- what organization issued the CRL
- when the next update of this CRL will be published
- whether Automatic Update is enabled for this CRL
If Automatic Update is not enabled, you can turn it on from
here:
- Yes: Click Yes to enable automatic updating of this CRL.
If you click this button, the Automatic CRL Update Preferences
dialog box appears next. The next section describes how to set
these preferences.
- No: Click No if you wish to leave Automatic Update
disabled.
Automatic CRL Update Preferences
This section describes how to use the Automatic CRL Update
Preferences dialog box. If you are not already viewing it, follow
these steps:
- Open the Edit menu and choose Preferences.
- Under the Privacy & Security category, click Validation.
(If no subcategories are visible, double-click Privacy &
Security to expand the list.)
- Click Manage CRLs, then select the CRL whose auto update
preferences you want to view or change.
- Click Settings.
This dialog box displays the following options and
information:
Click OK to confirm your choices.
15 April 2003
Copyright © 1994-2003 Netscape Communications
Corporation.