summaryrefslogtreecommitdiffstats
path: root/l10n-cs/suite/chrome/common/help/using_certs_help.xhtml
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /l10n-cs/suite/chrome/common/help/using_certs_help.xhtml
parentInitial commit. (diff)
downloadfirefox-upstream.tar.xz
firefox-upstream.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'l10n-cs/suite/chrome/common/help/using_certs_help.xhtml')
-rw-r--r--l10n-cs/suite/chrome/common/help/using_certs_help.xhtml598
1 files changed, 598 insertions, 0 deletions
diff --git a/l10n-cs/suite/chrome/common/help/using_certs_help.xhtml b/l10n-cs/suite/chrome/common/help/using_certs_help.xhtml
new file mode 100644
index 0000000000..70fc5d0096
--- /dev/null
+++ b/l10n-cs/suite/chrome/common/help/using_certs_help.xhtml
@@ -0,0 +1,598 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
+ <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
+ %brandDTD;
+]>
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Using Certificates</title>
+<link rel="stylesheet" href="helpFileLayout.css"
+ type="text/css"/>
+</head>
+<body>
+
+<h1 id="using_certificates">Using Certificates</h1>
+
+<p>A certificate is the digital equivalent of an ID card. Just as you may have
+ several ID cards for different purposes, such as a driver&apos;s license, an
+ employee ID card, or a credit card, you can have several different
+ certificates that identify you for different purposes.</p>
+
+<p>This section describes how to perform operations related to
+ certificates.</p>
+
+<div class="contentsBox">In this section:
+ <ul>
+ <li><a href="#getting_your_own_certificate">Getting Your Own
+ Certificate</a></li>
+ <li><a href="#checking_security_for_a_web_page">Checking Security for a Web
+ Page</a></li>
+ <li><a href="#managing_certificates">Managing Certificates</a></li>
+ <li><a href="#managing_smart_cards_and_other_security_devices">Managing
+ Smart Cards and Other Security Devices</a></li>
+ <li><a href="#managing_ssltls_warnings_and_settings">Managing SSL/TLS
+ Warnings and Settings</a></li>
+ <li><a href="#controlling_validation">Controlling Validation</a></li>
+ </ul>
+</div>
+
+<h1 id="getting_your_own_certificate">Getting Your Own Certificate</h1>
+
+<p>Much like a credit card or a driver&apos;s license, a certificate is a form
+ of identification you can use to identify yourself over the Internet and
+ other networks. Like other commonly used personal IDs, a certificate is
+ typically issued by an organization with recognized authority to issue such
+ identification. An organization that issues certificates is called a
+ <strong>certificate authority (CA)</strong>.</p>
+
+<p>You can obtain certificates that identify you from public CAs, from system
+ administrators or special CAs within your organization, or from websites
+ offering specialized services that require a means of identification more
+ reliable that your name and password.</p>
+
+<p>Just as the requirements for a driver&apos;s license vary depending on the
+ type of vehicle you want to drive, the requirements for obtaining a
+ certificate vary depending on what you want to use it for. In some cases
+ getting a certificate may be as easy as going to a website, entering some
+ personal information, and automatically downloading the certificate into your
+ browser. In other cases you may have to go through more complicated
+ procedures.</p>
+
+<p>You can obtain a certificate today by visiting the URL for a certificate
+ authority and following the on-screen instructions. For a list of certificate
+ authorities issuing certificates recognized by &brandShortName;, see the
+ online document
+ <a href="http://www.mozilla.org/projects/security/certs/included/">Included
+ Certificate List</a>.</p>
+
+<p>Once you obtain a certificate, it is automatically stored in a
+ <a href="glossary.xhtml#security_device">security device</a>. Your browser
+ comes with its own built-in Software Security Device. A security device can
+ also be a piece of hardware, such as a smart card.</p>
+
+<p>Like a driver&apos;s license or a credit card, a certificate is a valuable
+ form of identification that can be abused if it falls into the wrong hands.
+ Once you&apos;ve obtained a certificate that identifies you, you should
+ protect it in two ways: by backing it up and by setting your
+ <a href="glossary.xhtml#master_password">master password</a>.</p>
+
+<p>When you first obtain a certificate, you may be prompted to back it up. If
+ you haven&apos;t yet created a master password, you will be asked to create
+ one.</p>
+
+<p>For detailed information about backing up a certificate and setting your
+ master password, see <a href="certs_help.xhtml#your_certificates">Your
+ Certificates</a>.</p>
+
+<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
+
+<h1 id="checking_security_for_a_web_page">Checking Security for a Web Page</h1>
+
+<p>When you&apos;re viewing any web page, the lock icon near the lower-right
+ corner of the window informs you whether the entire contents of the page was
+ protected by <a href="glossary.xhtml#encryption">encryption</a> while it was
+ being received by your computer:</p>
+
+<table summary="lock icons">
+ <tr>
+ <td><img alt="closed lock icon"
+ src="chrome://communicator/skin/icons/lock-secure.png"/></td>
+ <td>A closed lock means that the page was protected by encryption when it
+ was received.</td>
+ </tr>
+ <tr>
+ <td><img alt="open lock icon"
+ src="chrome://communicator/skin/icons/lock-insecure.png"/></td>
+ <td>An open lock means the page was not protected by encryption when it was
+ received.</td>
+ </tr>
+ <tr>
+ <td><img alt="broken lock icon"
+ src="chrome://communicator/skin/icons/lock-broken.png"/></td>
+ <td>A broken lock means that some or all of the elements within the page
+ were not protected by encryption when the page was received, even though
+ the outermost HTML page was encrypted.</td>
+ </tr>
+</table>
+
+<p>For more details about the encryption status of the page when it was
+ received, click the lock icon (or open the View menu, choose Page Info, and
+ click the Security tab).</p>
+
+<p>The Security tab for Page Info provides two kinds of information:</p>
+
+<ul>
+ <li>The top half describes whether the website displaying the page has been
+ verified. (For information on certificate verification, see
+ <a href="#controlling_validation">Controlling Validation</a>.)</li>
+ <li>The bottom half describes whether the contents of the page you are
+ viewing is protected by encryption while in transit over the network.</li>
+</ul>
+
+<p><strong>Important</strong>: The lock icon describes only the encryption
+ status of the page while it was being received by your computer. To be
+ notified when you send or receive information without encryption, or to
+ block potentially harmful mixed content, select the appropriate SSL/TLS
+ warning and mixed content options. See <a href="ssl_help.xhtml">Privacy &amp;
+ Security Preferences - SSL/TLS</a> for details.</p>
+
+<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
+
+<h1 id="managing_certificates">Managing Certificates</h1>
+
+<p>You can use the Certificate Manager to manage the certificates you have
+ available. Certificates may be stored on your computer&apos;s hard disk or on
+ <a href="glossary.xhtml#smart_card">smart cards</a> or other security devices
+ attached to your computer.</p>
+
+<p>To open the Certificate Manager:</p>
+
+<ol>
+ <li>Open the <span class="mac">&brandShortName;</span>
+ <span class="noMac">Edit</span> menu and choose Preferences.</li>
+ <li>Under the Privacy &amp; Security category, click Certificates. (If no
+ subcategories are visible, double-click Privacy &amp; Security to expand
+ the list.)</li>
+ <li>In the Manage Certificates section, click Manage Certificates. You see
+ the Certificate Manager.</li>
+</ol>
+
+<div class="contentsBox">In this section:
+ <ul>
+ <li><a href="#managing_certificates_that_identify_you">Managing
+ Certificates that Identify You</a></li>
+ <li><a href="#managing_certificates_that_identify_people">Managing
+ Certificates that Identify People</a></li>
+ <li><a href="#managing_certificates_that_identify_servers">Managing
+ Certificates that Identify Servers</a></li>
+ <li><a href="#managing_certificates_that_identify_certificate_authorities">Managing
+ Certificates that Identify Certificate Authorities</a></li>
+ <li><a href="#managing_certificates_that_identify_others">Managing
+ Certificates that Identify Others</a></li>
+ </ul>
+</div>
+
+<h2 id="managing_certificates_that_identify_you">Managing Certificates that
+ Identify You</h2>
+
+<p>When you first open the Certificate Manager, you&apos;ll notice that it has
+ several tabs across the top of its window. The first tab is called Your
+ Certificates, and it displays the certificates your browser or mail client
+ has available that identify you. Your certificates are listed under the names
+ of the organizations that issued them.</p>
+
+<p>To perform an action on one or more certificates, click the entry for the
+ certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
+ to select more than one), then click one of the buttons at the bottom of the
+ Certificate Manager window. Each of these buttons brings up another window
+ that allows you to perform the action. Click the Help button in any window to
+ obtain more information about using that window.</p>
+
+<p>For more details on how to view and manage these certificates, see
+ <a href="certs_help.xhtml#your_certificates">Your Certificates</a>.</p>
+
+<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
+
+<h2 id="managing_certificates_that_identify_people">Managing Certificates that
+ Identify People</h2>
+
+<p>When you compose a mail message, you can choose to attach your digital
+ signature to it. A <a href="glossary.xhtml#digital_signature">digital
+ signature</a> allows recipients of the message to verify that the message
+ really comes from you and hasn&apos;t been tampered with since you sent
+ it.</p>
+
+<p>Every time you send a digitally signed message, your encryption certificate
+ is automatically included with the message. This certificate allows the
+ message recipients to send you encrypted messages.</p>
+
+<p>One of the easiest ways to obtain someone else&apos;s encryption certificate
+ is for that person to send you a digitally signed message. Certificate
+ Manager automatically stores other people&apos;s certificates whenever they
+ are received in this way.</p>
+
+<p>To view all the certificates identifying other people that are available to
+ the Certificate Manager, click the People tab at the top of the
+ Certificate Manager window. You can send encrypted messages to anyone for
+ whom a valid certificate is listed. Certificates are listed under the names
+ of the organizations that issued them.</p>
+
+<p>To perform an action on one or more certificates, click the entry for the
+ certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
+ to select more than one), then click one of the buttons at the bottom of the
+ Certificate Manager window. Each of these buttons brings up another window
+ that allows you to perform the action. Click the Help button in any window to
+ obtain more information about using that window.</p>
+
+<p>For more details on how to view and manage these certificates, see the
+ description of the Certificate Manager&apos;s
+ <a href="certs_help.xhtml#people">People</a> tab.</p>
+
+<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
+
+<h2 id="managing_certificates_that_identify_servers">Managing Certificates
+ that Identify Servers</h2>
+
+<p>Some websites and mail servers use certificates to identify themselves.
+ Such identification is required before the server can encrypt information
+ transferred between it and your computer (or vice versa), so that no one
+ can read the data while in transit.</p>
+
+<p>If the URL for a website begins with <tt>https://</tt>, the website has a
+ certificate. If you visit such a website and its certificate was issued by a
+ CA that the Certificate Manager doesn&apos;t know about or doesn&apos;t
+ trust, you will be asked whether you want to accept the website&apos;s
+ certificate. When you accept a new website certificate, the Certificate
+ Manager adds it to its list of website certificates.</p>
+
+<p>To view all the website certificates available to your browser, click the
+ Servers tab at the top of the Certificate Manager window.</p>
+
+<p>To perform an action on one or more certificates, click the entry for the
+ certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
+ to select more than one), then click one of the buttons at the bottom of the
+ Certificate Manager window. Each of these buttons brings up another window
+ that allows you to perform the action. Click the Help button in any window to
+ obtain more information about using that window.</p>
+
+<p>For more details on how to view and manage these certificates, see the
+ description of the Certificate Manager&apos;s
+ <a href="certs_help.xhtml#servers">Servers</a> tab.</p>
+
+<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
+
+<h2 id="managing_certificates_that_identify_certificate_authorities">Managing
+ Certificates that Identify Certificate Authorities</h2>
+
+<p>Like other commonly used forms of ID, a certificate is issued by an
+ organization with recognized authority to issue such identification. An
+ organization that issues certificates is called a
+ <a href="glossary.xhtml#certificate_authority">certificate authority
+ (CA)</a>. A certificate that identifies a CA is called a CA certificate.</p>
+
+<p>Certificate Manager typically has many CA certificates on file. These CA
+ certificates permit Certificate Manager to recognize and work with
+ certificates issued by the corresponding CAs. However, the presence of a CA
+ certificate in this list does <em>not</em> guarantee that the certificates it
+ issues can be trusted. You or your system administrator must make decisions
+ about what kinds of certificates to trust depending on your security
+ needs.</p>
+
+<p>To view all the CA certificates available to your browser, click the
+ Authorities tab at the top of the Certificate Manager window.</p>
+
+<p>To perform an action on one or more CA certificates, click the entry for the
+ certificate (or <kbd class="mac">Cmd</kbd><kbd class="noMac">Ctrl</kbd>-click
+ to select more than one), then click one of the buttons at the bottom of the
+ Certificate Manager window. Each of these buttons brings up another window
+ that allows you to perform the action. Click the Help button in any window to
+ obtain more information about using that window.</p>
+
+<p>For more details on how to view and manage these certificates, see the
+ description of the Certificate Manager&apos;s
+ <a href="certs_help.xhtml#authorities">Authorities</a> tab.</p>
+
+<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
+
+<h2 id="managing_certificates_that_identify_others">Managing Certificates that
+ Identify Others</h2>
+
+<p>To see all certificates that do not fit into any of the other categories,
+ click the Others tab at the top of the Certificate Manager window.</p>
+
+<p>For more details on how to view and manage these certificates, see the
+ description of the Certificate Manager&apos;s
+ <a href="certs_help.xhtml#others">Others</a> tab.</p>
+
+<p>[<a href="#managing_certificates">Return to beginning of section</a>]</p>
+
+<h1 id="managing_smart_cards_and_other_security_devices">Managing Smart Cards
+ and Other Security Devices</h1>
+
+<p>A smart card is a small device, typically about the size of a credit card,
+ that contains a microprocessor and is capable of storing information about
+ your identity (such as your <a href="glossary.xhtml#private_key">private
+ keys</a> and <a href="glossary.xhtml#certificate">certificates</a>) and
+ performing cryptographic operations.</p>
+
+<p>To use a smart card, you typically need to have a smart card reader (a piece
+ of hardware) attached to your computer, as well as software on your computer
+ that controls the reader.</p>
+
+<p>A smart card is just one kind of security device. A security device
+ (sometimes called a token) is a hardware or software device that provides
+ cryptographic services and stores information about your identity. Use the
+ Device Manager to work with smart cards and other security devices.</p>
+
+<div class="contentsBox">In this section:
+ <ul>
+ <li><a href="#about_security_devices_and_modules">About Security Devices
+ and Modules</a></li>
+ <li><a href="#using_security_devices">Using Security Devices</a></li>
+ <li><a href="#using_security_modules">Using Security Modules</a></li>
+ <li><a href="#enable_fips_mode">Enable FIPS Mode</a></li>
+ </ul>
+</div>
+
+<h2 id="about_security_devices_and_modules">About Security Devices and
+ Modules</h2>
+
+<p>The Device Manager displays a window that lists the available security
+ devices. You can use the Device Manager to manage any security devices,
+ including smart cards, that support the Public Key Cryptography Standard
+ (PKCS) #11.</p>
+
+<p>A <a href="glossary.xhtml#pkcs_11_module">PKCS #11 module</a> (sometimes
+ called a security module) controls one or more security devices in much the
+ same way that a software driver controls an external device such as a printer
+ or modem. If you are installing a smart card, you must install the PKCS #11
+ module for the smart card on your computer as well as connecting the smart
+ card reader.</p>
+
+<p>By default, the Device Manager controls two internal PKCS #11 modules that
+ manage three security devices:</p>
+
+<ul>
+ <li><strong>&brandShortName; Internal PKCS #11 Module</strong>: Controls two
+ security devices:
+ <ul>
+ <li><strong>Generic Crypto Services</strong>: A special security device
+ that performs all cryptographic operations required by the
+ &brandShortName; Internal PKCS #11 Module.</li>
+ <li><strong>Software Security Device</strong>: Stores your certificates
+ and keys that aren&apos;t stored on external security devices,
+ including any CA certificates that you may have installed in addition
+ to those that come with the browser.</li>
+ </ul>
+ </li>
+ <li><strong>Builtin Roots Module</strong>: Controls a special security device
+ called the Builtin Object Token. This security device stores the default
+ <a href="glossary.xhtml#ca_certificate">CA certificates</a> that come with
+ the browser.</li>
+</ul>
+
+<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
+ beginning of section</a>]</p>
+
+<h2 id="using_security_devices">Using Security Devices</h2>
+
+<p>The Device Manager allows you to perform operations on security devices. To
+ open the Device Manager, follow these steps:</p>
+
+<ol>
+ <li>Open the <span class="mac">&brandShortName;</span>
+ <span class="noMac">Edit</span> menu and choose Preferences.</li>
+ <li>Under the Privacy &amp; Security category, click Certificates. (If no
+ subcategories are visible, double-click Privacy &amp; Security to expand
+ the list.)</li>
+ <li>In the Certificates panel, click Manage Security Devices.</li>
+</ol>
+
+<p>The Device Manager lists each available PKCS #11 module in boldface, and the
+ security devices managed by each module below its name.</p>
+
+<p>When you select a security device, information about it appears in the
+ middle of the Device Manager window, and some of the buttons on the right
+ side of the window become available. For example, if you select the Software
+ Security Device, you can perform these actions:</p>
+
+<ul>
+ <li>Click Login or Logout to log in or out of the Software Security Device.
+ If you are logging in, you will be asked to supply the master password for
+ the device. You must be logged into a security device before your browser
+ software can use it to provide cryptographic services.</li>
+ <li>Click Change Password to change the master password for the device.</li>
+</ul>
+
+<p>You can perform these actions on most security devices. However, you cannot
+ perform them on the Builtin Object Token or Generic Crypto Services, which
+ are special devices that must normally be available at all times.</p>
+
+<p>For more details, see <a href="certs_help.xhtml#device_manager">Device
+ Manager</a>.</p>
+
+<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
+ beginning of section</a>]</p>
+
+<h2 id="using_security_modules">Using Security Modules</h2>
+
+<p>If you want to use a smart card or other external security device, you must
+ first install the module software on your computer and, if necessary, connect
+ any associated hardware. Follow the instructions that come with the
+ hardware.</p>
+
+<p>After a new module is installed on your computer, follow these steps to load
+ it:</p>
+
+<ol>
+ <li>Open the <span class="mac">&brandShortName;</span>
+ <span class="noMac">Edit</span> menu and choose Preferences.</li>
+ <li>Under the Privacy &amp; Security category, click Certificates. (If no
+ subcategories are visible, double-click Privacy &amp; Security to expand
+ the list.)</li>
+ <li>In the Certificates panel, click Manage Security Devices.</li>
+ <li>Click Load.</li>
+ <li>In the Load PKCS #11 Module dialog box, click the Browse button, locate
+ the module file, and click Open.</li>
+ <li>Fill in the Module Name field with the name of the module and click
+ OK.</li>
+</ol>
+
+<p>The new module will then show up in the list of modules with the name you
+ assigned to it.</p>
+
+<p>To unload a PKCS #11 module, select its name and click Unload.</p>
+
+<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
+ beginning of section</a>]</p>
+
+<h2 id="enable_fips_mode">Enable FIPS Mode</h2>
+
+<p>Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a
+ US government standard for implementations of cryptographic
+ modules&mdash;that is, hardware or software that encrypts and decrypts data
+ or performs other cryptographic operations (such as creating or verifying
+ digital signatures). Many products sold to the US government must comply with
+ one or more of the FIPS standards.</p>
+
+<p>To enable FIPS mode for the browser, you use the Device Manager:</p>
+
+<ol>
+ <li>Open the <span class="mac">&brandShortName;</span>
+ <span class="noMac">Edit</span> menu and choose Preferences.</li>
+ <li>Under the Privacy &amp; Security category, click Certificates. (If no
+ subcategories are visible, double-click Privacy &amp; Security to expand
+ the list.)</li>
+ <li>In the Certificates panel, click Manage Devices.</li>
+ <li>Click the Enable FIPS button. When FIPS is enabled, the name NSS Internal
+ PKCS #11 Module changes to NSS Internal FIPS PKCS #11 Module and the Enable
+ FIPS button changes to Disable FIPS.</li>
+</ol>
+
+<p>To disable FIPS-mode, click Disable FIPS.</p>
+
+<p>[<a href="#managing_smart_cards_and_other_security_devices">Return to
+ beginning of section</a>]</p>
+
+<h1 id="managing_ssltls_warnings_and_settings">Managing SSL/TLS Warnings and
+ Settings</h1>
+
+<p>The Secure Sockets Layer (SSL) protocol allows your computer to exchange
+ information with other computers on the Internet in encrypted form&mdash;that
+ is, the information is scrambled while in transit so that no one else can
+ make sense of it. SSL is also used to identify computers on the Internet by
+ means of <a href="glossary.xhtml#certificate">certificates</a>.</p>
+
+<p>The Transport Layer Security (TLS) protocol is a new standard based on SSL.
+ The old SSL versions have been deprecated for security reasons and TLS is the
+ only supported protocol. The default set of enabled TLS versions works for
+ most people with current servers. However, in some circumstances system
+ administrators or other knowledgeable persons may wish to adjust the SSL/TLS
+ settings to fine-tune them for special security needs or to account for
+ limited capabilities of some legacy servers.</p>
+
+<p>You shouldn&apos;t adjust the SSL/TLS settings for your browser unless you
+ know what you&apos;re doing or have the assistance of someone else who does.
+ If you do need to adjust them for some reason, follow these steps:</p>
+
+<ol>
+ <li>Open the <span class="mac">&brandShortName;</span>
+ <span class="noMac">Edit</span> menu and choose Preferences.</li>
+ <li>Under the Privacy &amp; Security category, select SSL/TLS. (If no
+ subcategories are visible, double-click Privacy &amp; Security to expand
+ the list.)</li>
+</ol>
+
+<p>For more details, see <a href="ssl_help.xhtml">SSL/TLS Settings</a>.</p>
+
+<p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
+
+<h1 id="controlling_validation">Controlling Validation</h1>
+
+<p>As discussed above under <a href="#getting_your_own_certificate">Get Your
+ Own Certificate</a>, a certificate is a form of identification, much like a
+ driver&apos;s license, that you can use to identify yourself over the
+ Internet and other networks. However, also like a driver&apos;s license, a
+ certificate may expire or become invalid for some other reason. Therefore,
+ your browser software needs to confirm the validity of any given certificate
+ in some way before trusting it for identification purposes.</p>
+
+<p>This section describes how Certificate Manager validates certificates and
+ how to control that process. To understand the process, you should have some
+ familiarity with <a href="glossary.xhtml#public-key_cryptography">public-key
+ cryptography</a>. If you are not familiar with the use of certificates, you
+ should check with your system administrator before attempting to change any
+ of your browser&apos;s certificate validation settings.</p>
+
+<div class="contentsBox">In this section:
+ <ul>
+ <li><a href="#how_validation_works">How Validation Works</a></li>
+ <li><a href="#configuring_ocsp">Configuring OCSP</a></li>
+ </ul>
+</div>
+
+<h2 id="how_validation_works">How Validation Works</h2>
+
+<p>Whenever you use or view a certificate stored by Certificate Manager, it
+ takes several steps to verify the certificate. At a minimum, it confirms that
+ the CA&apos;s digital signature on the certificate was created by a CA whose
+ own certificate is (1) present in the Certificate Manager&apos;s list of
+ available CA certificates and (2) marked as trusted for issuing the kind of
+ certificate being verified.</p>
+
+<p>If the CA certificate is not itself present, the
+ <a href="glossary.xhtml#certificate_chain">certificate chain</a> for the CA
+ certificate must include a higher-level CA certificate that is present and
+ correctly trusted. Certificate Manager also confirms that the certificate
+ being verified is currently marked as trusted in the certificate store. If
+ any one of these checks fails, Certificate Manager marks the certificate as
+ unverified and won&apos;t recognize the identity it certifies.</p>
+
+<p>A certificate can pass all these tests and still be compromised in some way;
+ for example, the certificate may be revoked because an unauthorized person
+ has gained access to the certificate&apos;s private key. A compromised
+ certificate can allow an unauthorized person (or website) to pretend to be
+ the certificate owner.</p>
+
+<p>One way to combat this threat would be for Certificate Manager to check a
+ previously downloaded certificate revocation list (CRL) as part of the
+ verification process. However, those lists may be large and need to be
+ updated frequently in order to remain current and thus useful.</p>
+
+<p>The preferred way to combat the threat of compromised certificates is to use
+ a special server that supports the Online Certificate Status Protocol (OCSP).
+ Such a server can answer client queries about individual certificates (see
+ <a href="#configuring_ocsp">Configuring OCSP</a>, below).</p>
+
+<p>The server, called an OCSP responder, receives an updated CRL periodically
+ from the CA that issues the certificates to be verified. You can configure
+ Certificate Manager to submit a status request for a certificate to the OCSP
+ responder, and the OCSP responder confirms whether the certificate is
+ valid.</p>
+
+<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>
+
+<h2 id="configuring_ocsp">Configuring OCSP</h2>
+
+<p>The settings that control OCSP are part of Certificates preferences. To view
+ Certificates preferences, follow these steps:</p>
+
+<ol>
+ <li>Open the <span class="mac">&brandShortName;</span>
+ <span class="noMac">Edit</span> menu and choose Preferences.</li>
+ <li>Under the Privacy &amp; Security category, click Certificates. (If no
+ subcategories are visible, double-click Privacy &amp; Security to expand
+ the list.)</li>
+</ol>
+
+<p>For information about the OCSP options available, see
+ <a href="certs_prefs_help.xhtml#ocsp">Privacy &amp; Security Preferences -
+ Certificates, OCSP</a>.</p>
+
+<p>[<a href="#controlling_validation">Return to beginning of section</a>]</p>
+
+</body>
+</html>