Previous Contents DocHome Index Next |
Portal Server Plug-in for the Identrus System 2.0 Installation, Administration & User Guide |
Chapter 3 User
Having setup your digital certificates, you are now ready to use the iPlanet Portal Server Plug-in for the Identrus System. While using NetMail Lite you can, with confidence, choose to digitally sign messages that you wish to send and check the integrity and authenticity of messages that you receive. Thus, the objectives of this chapter are to cover the features that facilitate this:
Smart Card Login
Smart Card Login
From your browser enter the URL to access the Portal Server e.g. https://firestorm.jcp.co.uk:443
Figure 3-1    Login Main menu
Select <SmartCardUser>
Figure 3-2    Inserting your SmartCard
Insert Smart Card into Card Reader
Figure 3-3    Inserting Smart Card into Card Reader
On clicking the `Enter' button, a dialog is displayed prompting the user to enter their SmartCard PIN.
Figure 3-4    Sign SmartCard Entry
Select <Sign>
Figure 3-5    Entering a PIN Number for your SmartCard
On entering the PIN and clicking <Verify> the login procedure is sent to the server. The user will be denied access and an appropriate message displayed if any of the following is true:
No SmartCard was present in the reader
The SmartCard PIN was entered incorrectly
The SmartCard certificate chain is invalid
The SmartCard certificate chain does not contain a trusted CA certificate
The SmartCard certificate status is `unknown' - i.e. the SmartCard was not issued under the `scheme'
The SmartCard certificate status has been `revoked'
Note Your SmartCard third party vendor should supply your PIN number to you when they issue you with your SmartCard.
When the user presses <Enter> on the SmartCard login page the login module will check the user's details (and verify its authenticity) and the user will then be presented with their user profile. If it's the user's first time entering into the system then they will be presented with the new user registration page. When this page is submitted the module will create and add the new user.
Figure 3-6    New User Registration
When you have entered your personal details select <Submit> This will then take you to the Portal Server main menu.
The server performs Certificate Status Checks according to the security policy that your administrator has configured. Regardless of the Certificate Status Check policy in force, the validity of the signed response from the client is always verified and the signing certificate must be issued by a recognised source.
Figure 3-7    Portal Server Main menu Screen
Finally, select <NetMail Lite>
Overview of Message Verification
There are two options to verify your email messages:
Viewing Certificates
Figure 3-8    Example NetMail Lite Message Header
Clicking on the <certificate status>
icon in any but the first two states displays a page showing the most recent status check details. If the system is configured to perform status checks automatically on receipt of messages, then the second state icon will never be displayed. This icon has five states, signifying:
State 1. Message is not signed by a scheme certificate (blank space)
The user may initiate a Certificate Status Check by clicking on the <check certificate>State 2. Signing certificate has not yet been checked (blank space)
State 5. Unknown certificate
or there was an error obtaining the status
button. On clicking the button, a dialog is displayed informing the user that he is requesting a Certificate Status Check, and will be charged by his bank for this service. The user must insert his/her SmartCard and enter his/her PIN in order to confirm the request. On entering the PIN and clicking <OK>, a signed Certificate Status Check request is sent to the Portal Server. A few seconds later, on receipt of the response, a certificate status page is shown:
Figure 3-9    An example certificate status check
The RC host uses its response-signing certificate (configured in section "RC Host Configuration") to sign the HTML source forming the displayed status information and includes the signature as base64 encoded hidden data elsewhere in the certificate status page HTML. The user may save the HTML page to his local disk to serve in case users need this information to verify for billing purposes.
Viewing Signatures
Messages can have three states, signifying:The validity of the signature is independent of the certificate status. The signature validity icon will always appear for messages signed by a certificate belonging to the scheme. The system may be configured to optionally display the signature validity icon
for messages signed by a non-scheme certificate.
Figure 3-10    Selecting Signature Details
The signature details page shows details of the signature and the signing certificate. It is reached by clicking on the signature validity icon
in either the message header page or the message page. On clicking on an icon
, the following information is displayed in the signature details Page:
Subject. Distinguished name of the certificate holder
Issuer. Distinguished name of the certificate issuer
Validity. Start and end of the certificate's validity period
Serial Number. The certificate serial number
Signature Status. Either `valid' or `invalid', plus a summary of the meaning of signature status:
Figure 3-11    Viewing a Signature
Once checked certificates remain valid. If, however, the certificate expires a few days after the certificate status check has been performed the user still can perform an additional certificate status check to see whether or not the certificate status of the message still remains valid.
Email Signing Illustration
We now illustrate email messages using four users. The first three users are in possession of a valid certificate. The fourth user has a certificate that has been revoked and also tries to send a message signed outside the Identrus scheme.
John Smith (Good certificate)
The iPlanet Portal Server Plug-in for the Identrus System supports the following featuresRajeev Patel (Good certificate)
Manuelo Revoka (Revoked certificate and sending an invalid signature)
Composing a signed message
We now discuss these features in turn.Performing a certificate status request on the sender of a message
Composing a Signed Message
Messages can be sent using digital signatures allowing the recipient to attach integrity to messages.
John Smith Logs onto NetMail Lite and sends a message to Rajeev Patel. He signs the message by selecting <sign this email>.
Figure 3-12    Composing a Message
The iPlanet Portal Server Plug-in for the Identrus System, when composing a signed Message allows you to:
<Save a copy to the sent messages folder> i.e. Save a copy of your message
Having sent the message, the system asks you to verify how you wish the message to be signed. Select <sign > and as before enter your SmartCard PIN Number. Make sure your SmartCard has been entered into your SmartCard Reader.<Use Signature> Add some signature text at the end of your document. Select <Preferences> to establish a link to this text file.
<Sign this email> Digitally signing the message that has the effect of allowing its recipient to know that: the sender is who he/she says they are and that the message hasn't changed.
Figure 3-13    Digitally signing a Message
Receiving a Signed Message
Message Headers illustrate which messages have been digitally signed and also those that require a Certificate Status Check should you wish to validate the sender of the message. There are two main aspects to this:
The recipient of the message can verify who the sender is. Clicking on this icon
requests the system to perform a Certificate Status Check. This feature can be set automatically (Consult your administrator).The recipient of the message can know whether or not what is being said in a message is valid and has not changed. Under such circumstances, the signature icon will appear as a tick
Figure 3-14    User Rajeev Patel's Portal Homepage
Figure 3-15    Rajeev Patel's message NetMail Lite Message Headers
Selecting the <Check Certificate> icon
, determines whether or not John Smith's certificate is good or has been revoked:Figure 3-16    Certificate Status Check on John Smith
On completion of a Certificate Status Check a certificate Icon
appears in the message header as illustrated below:Figure 3-17    Rajeev Patel's Message Headers illustrating a Manual Certificate Status Check
Forwarding a Signed Message
Forwarding messages are also possible indicating the status of a message; whether it be signed or have its certificate status checked. Under such circumstances, it is up to the user to interpret situations involving some but not all of the hierarchy of forwarded messages that may or may not have unsigned signatures or revoked certificates. There is no limit to the number of forwarded embedded messages allowed.
Figure 3-18    Forwarding a message
Figure 3-19    Message headers for Tom Jones
On receiving a forwarded message the user simply clicks on the forwarded attachment to see whether or not the forwarded message was digitally signed.
Figure 3-20    A forwarded Message
Figure 3-21    Certificate status check performed on Forwarded message
Forwarding messages can be useful when you need to provide non-repudiable evidence that a message instruction took place. Forwarding the message to an independent party that is part of the Identrus network achieves such an aim. If, on opening the message, the certificate status has been revoked then it would be necessary to go back to when the original certificate status was made. This can be done, by viewing the certificate status log, or if necessary the user can save the certificate status log view as an HTML file locally.
Saving an Attachment
This can be achieved by highlighting the link. <right-click> link and selecting <Save Link as> as illustrated below:
Figure 3-22    Saving an Attachment
Revoked Messages
In certain circumstances, employees leave companies or certificates that were once valid in the past may expire or be revoked.
Figure 3-23    Sending an email message using a revoked certificate
Figure 3-24    Signing a message with a revoked certificate
Figure 3-25    John Smith's Portal User Screen
Figure 3-26    John Smith's Message Header
Figure 3-27    Message Header Details containing a revoked Certificate
The certificate icon
indicates that it has been revoked. The text of the message and its sender, however, still has integrity.Figure 3-28    Message Header Overview containing a revoked certificate
Invalid Signatures
Invalid signatures can occur for a number of reasons:
The signature is outside the Certificate Scheme that your Administrator has configured for you. This is normally The Identrus Scheme. If you have any doubts you should refer this to your Administrator
Somebody has tampered with the message. In this case somebody has managed to hack into the system and change the contents of your message. This is highly unlikely and as such you should report this to your Systems administrator immediately.
The certificate of the signature has expired. Under such circumstance you should request that the sender renew his/her signing certificate and transmit the message again.
The email address of the sender must be the same as the subject of the certificate. This is intuitively obvious but can occur if the sender tries to sign a message with the certificate of somebody else within the certificate scheme.
Manuelo Revoka sends a message to Tom Jones and signs it with a certificate that is outside the certificate scheme
Figure 3-29    Example Invalid Digital Signature in Message Header
Figure 3-30    Invalid Signature Details
Certificate Status Log
The user will be able to view a log of all of the certificate status checks he has made. This log is accessible from a link in the `Applications' list on the main iPlanet Portal Server page (see Figure 3-31 below). Clicking on the link <Certificate Status Log> causes the log page to appear in a new browser window.
Figure 3-31    Main iPlanet Portal Server Page
This page shows the list of Certificate Status Checks performed by a user, ordered by time, the most recent first.
Figure 3-32    Certificate Status Log
The following data is shown for each entry:
Subject. Common name of the certificate holder
The user (in this case John Smith) may click on <[more details]> to access the certificate status page for that entry.Certificate Status. Result of Certificate Status Check - one of "Good", "Revoked" or "Unknown"
Date of Check. Time and date of the Certificate Status Check
Figure 3-33    Certificate Status Details
Previous Contents DocHome Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated May 16, 2001