From 43a97878ce14b72f0981164f87f2e35e14151312 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 11:22:09 +0200 Subject: Adding upstream version 110.0.1. Signed-off-by: Daniel Baumann --- .../chrome/common/help/using_certs_help.xhtml | 599 +++++++++++++++++++++ 1 file changed, 599 insertions(+) create mode 100644 l10n-ka/suite/chrome/common/help/using_certs_help.xhtml (limited to 'l10n-ka/suite/chrome/common/help/using_certs_help.xhtml') diff --git a/l10n-ka/suite/chrome/common/help/using_certs_help.xhtml b/l10n-ka/suite/chrome/common/help/using_certs_help.xhtml new file mode 100644 index 0000000000..fbbea15327 --- /dev/null +++ b/l10n-ka/suite/chrome/common/help/using_certs_help.xhtml @@ -0,0 +1,599 @@ + + + + %brandDTD; +]> + + + +Using Certificates + + + + +

Using Certificates

+ +

A certificate is the digital equivalent of an ID card. Just as you may have + several ID cards for different purposes, such as a driver's license, an + employee ID card, or a credit card, you can have several different + certificates that identify you for different purposes.

+ +

This section describes how to perform operations related to + certificates.

+ +
In this section: + +
+ +

Getting Your Own Certificate

+ +

Much like a credit card or a driver's license, a certificate is a form + of identification you can use to identify yourself over the Internet and + other networks. Like other commonly used personal IDs, a certificate is + typically issued by an organization with recognized authority to issue such + identification. An organization that issues certificates is called a + certificate authority (CA).

+ +

You can obtain certificates that identify you from public CAs, from system + administrators or special CAs within your organization, or from websites + offering specialized services that require a means of identification more + reliable that your name and password.

+ +

Just as the requirements for a driver's license vary depending on the + type of vehicle you want to drive, the requirements for obtaining a + certificate vary depending on what you want to use it for. In some cases + getting a certificate may be as easy as going to a website, entering some + personal information, and automatically downloading the certificate into your + browser. In other cases you may have to go through more complicated + procedures.

+ +

You can obtain a certificate today by visiting the URL for a certificate + authority and following the on-screen instructions. For a list of certificate + authorities issuing certificates recognized by &brandShortName;, see the + online document + Included + Certificate List.

+ +

Once you obtain a certificate, it is automatically stored in a + security device. Your browser + comes with its own built-in Software Security Device. A security device can + also be a piece of hardware, such as a smart card.

+ +

Like a driver's license or a credit card, a certificate is a valuable + form of identification that can be abused if it falls into the wrong hands. + Once you've obtained a certificate that identifies you, you should + protect it in two ways: by backing it up and by setting your + master password.

+ +

When you first obtain a certificate, you may be prompted to back it up. If + you haven't yet created a master password, you will be asked to create + one.

+ +

For detailed information about backing up a certificate and setting your + master password, see Your + Certificates.

+ +

[Return to beginning of section]

+ +

Checking Security for a Web Page

+ +

When you're viewing any web page, the lock icon near the lower-right + corner of the window informs you whether the entire contents of the page was + protected by encryption while it was + being received by your computer:

+ + + + + + + + + + + + + + +
closed lock iconA closed lock means that the page was protected by encryption when it + was received.
open lock iconAn open lock means the page was not protected by encryption when it was + received.
broken lock iconA broken lock means that some or all of the elements within the page + were not protected by encryption when the page was received, even though + the outermost HTML page was encrypted.
+ +

For more details about the encryption status of the page when it was + received, click the lock icon (or open the View menu, choose Page Info, and + click the Security tab).

+ +

The Security tab for Page Info provides two kinds of information:

+ + + +

Important: The lock icon describes only the encryption + status of the page while it was being received by your computer. To be + notified before you send or receive information without encryption, select + the appropriate SSL warning options. See Privacy + & Security Preferences - SSL for details.

+ +

[Return to beginning of section]

+ +

Managing Certificates

+ +

You can use the Certificate Manager to manage the certificates you have + available. Certificates may be stored on your computer's hard disk or on + smart cards or other security devices + attached to your computer.

+ +

To open the Certificate Manager:

+ +
    +
  1. Open the &brandShortName; + Edit menu and choose Preferences.
    2. +
  2. Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)
    3. +
  3. In the Manage Certificates section, click Manage Certificates. You see + the Certificate Manager.
    4. +
+ +
In this section: + +
+ +

Managing Certificates that + Identify You

+ +

When you first open the Certificate Manager, you'll notice that it has + several tabs across the top of its window. The first tab is called Your + Certificates, and it displays the certificates your browser or mail client + has available that identify you. Your certificates are listed under the names + of the organizations that issued them.

+ +

To perform an action on one or more certificates, click the entry for the + certificate (or CmdCtrl-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.

+ +

For more details on how to view and manage these certificates, see + Your Certificates.

+ +

[Return to beginning of section]

+ +

Managing Certificates that + Identify People

+ +

When you compose a mail message, you can choose to attach your digital + signature to it. A digital + signature allows recipients of the message to verify that the message + really comes from you and hasn't been tampered with since you sent + it.

+ +

Every time you send a digitally signed message, your encryption certificate + is automatically included with the message. This certificate allows the + message recipients to send you encrypted messages.

+ +

One of the easiest ways to obtain someone else's encryption certificate + is for that person to send you a digitally signed message. Certificate + Manager automatically stores other people's certificates whenever they + are received in this way.

+ +

To view all the certificates identifying other people that are available to + the Certificate Manager, click the People tab at the top of the + Certificate Manager window. You can send encrypted messages to anyone for + whom a valid certificate is listed. Certificates are listed under the names + of the organizations that issued them.

+ +

To perform an action on one or more certificates, click the entry for the + certificate (or CmdCtrl-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.

+ +

For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + People tab.

+ +

[Return to beginning of section]

+ +

Managing Certificates + that Identify Servers

+ +

Some websites and mail servers use certificates to identify themselves. + Such identification is required before the server can encrypt information + transferred between it and your computer (or vice versa), so that no one + can read the data while in transit.

+ +

If the URL for a website begins with https://, the website has a + certificate. If you visit such a website and its certificate was issued by a + CA that the Certificate Manager doesn't know about or doesn't + trust, you will be asked whether you want to accept the website's + certificate. When you accept a new website certificate, the Certificate + Manager adds it to its list of website certificates.

+ +

To view all the website certificates available to your browser, click the + Servers tab at the top of the Certificate Manager window.

+ +

To perform an action on one or more certificates, click the entry for the + certificate (or CmdCtrl-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.

+ +

For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + Servers tab.

+ +

[Return to beginning of section]

+ +

Managing + Certificates that Identify Certificate Authorities

+ +

Like other commonly used forms of ID, a certificate is issued by an + organization with recognized authority to issue such identification. An + organization that issues certificates is called a + certificate authority + (CA). A certificate that identifies a CA is called a CA certificate.

+ +

Certificate Manager typically has many CA certificates on file. These CA + certificates permit Certificate Manager to recognize and work with + certificates issued by the corresponding CAs. However, the presence of a CA + certificate in this list does not guarantee that the certificates it + issues can be trusted. You or your system administrator must make decisions + about what kinds of certificates to trust depending on your security + needs.

+ +

To view all the CA certificates available to your browser, click the + Authorities tab at the top of the Certificate Manager window.

+ +

To perform an action on one or more CA certificates, click the entry for the + certificate (or CmdCtrl-click + to select more than one), then click one of the buttons at the bottom of the + Certificate Manager window. Each of these buttons brings up another window + that allows you to perform the action. Click the Help button in any window to + obtain more information about using that window.

+ +

For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + Authorities tab.

+ +

[Return to beginning of section]

+ +

Managing Certificates that + Identify Others

+ +

To see all certificates that do not fit into any of the other categories, + click the Others tab at the top of the Certificate Manager window.

+ +

For more details on how to view and manage these certificates, see the + description of the Certificate Manager's + Others tab.

+ +

[Return to beginning of section]

+ +

Managing Smart Cards + and Other Security Devices

+ +

A smart card is a small device, typically about the size of a credit card, + that contains a microprocessor and is capable of storing information about + your identity (such as your private + keys and certificates) and + performing cryptographic operations.

+ +

To use a smart card, you typically need to have a smart card reader (a piece + of hardware) attached to your computer, as well as software on your computer + that controls the reader.

+ +

A smart card is just one kind of security device. A security device + (sometimes called a token) is a hardware or software device that provides + cryptographic services and stores information about your identity. Use the + Device Manager to work with smart cards and other security devices.

+ +
In this section: + +
+ +

About Security Devices and + Modules

+ +

The Device Manager displays a window that lists the available security + devices. You can use the Device Manager to manage any security devices, + including smart cards, that support the Public Key Cryptography Standard + (PKCS) #11.

+ +

A PKCS #11 module (sometimes + called a security module) controls one or more security devices in much the + same way that a software driver controls an external device such as a printer + or modem. If you are installing a smart card, you must install the PKCS #11 + module for the smart card on your computer as well as connecting the smart + card reader.

+ +

By default, the Device Manager controls two internal PKCS #11 modules that + manage three security devices:

+ + + +

[Return to + beginning of section]

+ +

Using Security Devices

+ +

The Device Manager allows you to perform operations on security devices. To + open the Device Manager, follow these steps:

+ +
    +
  1. Open the &brandShortName; + Edit menu and choose Preferences.
    2. +
  2. Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)
    3. +
  3. In the Certificates panel, click Manage Security Devices.
    4. +
+ +

The Device Manager lists each available PKCS #11 module in boldface, and the + security devices managed by each module below its name.

+ +

When you select a security device, information about it appears in the + middle of the Device Manager window, and some of the buttons on the right + side of the window become available. For example, if you select the Software + Security Device, you can perform these actions:

+ + + +

You can perform these actions on most security devices. However, you cannot + perform them on the Builtin Object Token or Generic Crypto Services, which + are special devices that must normally be available at all times.

+ +

For more details, see Device + Manager.

+ +

[Return to + beginning of section]

+ +

Using Security Modules

+ +

If you want to use a smart card or other external security device, you must + first install the module software on your computer and, if necessary, connect + any associated hardware. Follow the instructions that come with the + hardware.

+ +

After a new module is installed on your computer, follow these steps to load + it:

+ +
    +
  1. Open the &brandShortName; + Edit menu and choose Preferences.
    2. +
  2. Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)
    3. +
  3. In the Certificates panel, click Manage Security Devices.
    4. +
  4. Click Load.
    5. +
  5. In the Load PKCS #11 Module dialog box, click the Browse button, locate + the module file, and click Open.
    6. +
  6. Fill in the Module Name field with the name of the module and click + OK.
    7. +
+ +

The new module will then show up in the list of modules with the name you + assigned to it.

+ +

To unload a PKCS #11 module, select its name and click Unload.

+ +

[Return to + beginning of section]

+ +

Enable FIPS Mode

+ +

Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a + US government standard for implementations of cryptographic + modules—that is, hardware or software that encrypts and decrypts data + or performs other cryptographic operations (such as creating or verifying + digital signatures). Many products sold to the US government must comply with + one or more of the FIPS standards.

+ +

To enable FIPS mode for the browser, you use the Device Manager:

+ +
    +
  1. Open the &brandShortName; + Edit menu and choose Preferences.
    2. +
  2. Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)
    3. +
  3. In the Certificates panel, click Manage Devices.
    4. +
  4. Click the Enable FIPS button. When FIPS is enabled, the name NSS Internal + PKCS #11 Module changes to NSS Internal FIPS PKCS #11 Module and the Enable + FIPS button changes to Disable FIPS.
    5. +
+ +

To disable FIPS-mode, click Disable FIPS.

+ +

[Return to + beginning of section]

+ +

Managing SSL Warnings and + Settings

+ +

The Secure Sockets Layer (SSL) protocol allows your computer to exchange + information with other computers on the Internet in encrypted form—that + is, the information is scrambled while in transit so that no one else can + make sense of it. SSL is also used to identify computers on the Internet by + means of certificates.

+ +

The Transport Layer Security (TLS) protocol is a new standard based on SSL. + By default, the browser supports both SSL and TLS. This approach works for + most people, because it guarantees that the browser will work with virtually + all other existing software on the Internet that supports any version of SSL + or TLS.

+ +

However, in some circumstances system administrators or other knowledgeable + persons may wish to adjust the SSL settings to fine-tune them for special + security needs or to account for bugs in some older software products.

+ +

You shouldn't adjust the SSL settings for your browser unless you know + what you're doing or have the assistance of someone else who does. If + you do need to adjust them for some reason, follow these steps:

+ +
    +
  1. Open the &brandShortName; + Edit menu and choose Preferences.
    2. +
  2. Under the Privacy & Security category, select SSL. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)
    3. +
+ +

For more details, see SSL Settings.

+ +

[Return to beginning of section]

+ +

Controlling Validation

+ +

As discussed above under Get Your + Own Certificate, a certificate is a form of identification, much like a + driver's license, that you can use to identify yourself over the + Internet and other networks. However, also like a driver's license, a + certificate may expire or become invalid for some other reason. Therefore, + your browser software needs to confirm the validity of any given certificate + in some way before trusting it for identification purposes.

+ +

This section describes how Certificate Manager validates certificates and + how to control that process. To understand the process, you should have some + familiarity with public-key + cryptography. If you are not familiar with the use of certificates, you + should check with your system administrator before attempting to change any + of your browser's certificate validation settings.

+ +
In this section: + +
+ +

How Validation Works

+ +

Whenever you use or view a certificate stored by Certificate Manager, it + takes several steps to verify the certificate. At a minimum, it confirms that + the CA's digital signature on the certificate was created by a CA whose + own certificate is (1) present in the Certificate Manager's list of + available CA certificates and (2) marked as trusted for issuing the kind of + certificate being verified.

+ +

If the CA certificate is not itself present, the + certificate chain for the CA + certificate must include a higher-level CA certificate that is present and + correctly trusted. Certificate Manager also confirms that the certificate + being verified is currently marked as trusted in the certificate store. If + any one of these checks fails, Certificate Manager marks the certificate as + unverified and won't recognize the identity it certifies.

+ +

A certificate can pass all these tests and still be compromised in some way; + for example, the certificate may be revoked because an unauthorized person + has gained access to the certificate's private key. A compromised + certificate can allow an unauthorized person (or website) to pretend to be + the certificate owner.

+ +

One way to combat this threat would be for Certificate Manager to check a + previously downloaded certificate revocation list (CRL) as part of the + verification process. However, those lists may be large and need to be + updated frequently in order to remain current and thus useful.

+ +

The preferred way to combat the threat of compromised certificates is to use + a special server that supports the Online Certificate Status Protocol (OCSP). + Such a server can answer client queries about individual certificates (see + Configuring OCSP, below).

+ +

The server, called an OCSP responder, receives an updated CRL periodically + from the CA that issues the certificates to be verified. You can configure + Certificate Manager to submit a status request for a certificate to the OCSP + responder, and the OCSP responder confirms whether the certificate is + valid.

+ +

[Return to beginning of section]

+ +

Configuring OCSP

+ +

The settings that control OCSP are part of Certificates preferences. To view + Certificates preferences, follow these steps:

+ +
    +
  1. Open the &brandShortName; + Edit menu and choose Preferences.
    2. +
  2. Under the Privacy & Security category, click Certificates. (If no + subcategories are visible, double-click Privacy & Security to expand + the list.)
    3. +
+ +

For information about the OCSP options available, see + Privacy & Security Preferences - + Certificates, OCSP.

+ +

[Return to beginning of section]

+ + + -- cgit v1.2.3