=============================================================== Net iD Enterprise, version 6.4.1 - Release Notes =============================================================== New/Changed features (for more detailed release information see further down) ---------------------------------------------------------------------------------------- 6.4.1 (Released 2015-12-14) - Fix for OS X 10.11 (El Capitan), Installation issue. - Fix for Ubuntu GUI. - Other fixes, se details below. 6.4.0 (Released 2015-11-05) - Support for Microsoft Windows 10, see Known Issues. - Support for OS X 10.11 (El Capitan), see Known Issues. - Support for additional smart cards: -- final versions of Gemalto IDPrime Instant IP10 card. -- final versions of Gemalto IDPrime SIS EID IP1 card. -- Oberthur IASECC card with v2.0 applet. -- Estonian EID cards (EstEID v1.0, v3.0 and v3.5.2). - Support for configuration via GPO. - Support for Microsoft Windows Server 2008 ended (2008 R2 still supported). - Support for Microsoft Windows Server 2012 ended (2012 R2 still supported). - Support for Microsoft Windows Vista ended. - Support for Microsoft Internet Explorer 9 ended. - "Svenska SAMSET" removed as own "language". 6.3.0 (Released 2015-02-17): - New GUI for Windows, OS X and Ubuntu (the old GUI is available as well if wanted). - Support for Gemalto IDPrime Instant IP10 card. - Support for Gemalto IDPrime SIS EID IP1 card. - Support for Oberthur IASECC v1.0.1 card with v1.2 applet. (only v1.3 applet supported earlier). - Support for Gemalto Tjanstekort EID card with new chip verified. - Support for Telia EID IP5 card with new chip verified. - Finnish language has been reviewed. - Support for OS X 10.10. - Support for Microsoft Windows Server 2003 ended. - Support for Microsoft Internet Explorer 8 ended. - General support for Microsoft Windows Vista ended. - General support for Microsoft Internet Explorer 9 ended. 6.1.2 (Released 2014-04-17): - Support for Microsoft Windows XP and Internet Explorer 7 ended. - Support for Gemalto Instant EID IP9 with new chip. - Support for Citrix FastConnect API v2 as separately priced custom component. - Fixed check of parameter exportable when importing PKCS#12 files via plugin, same behavior as generate key pair. - Fixed adding of soft token to Keychain Access for OS X 10.9. 6.1.1 (Released 2014-03-04) - Support for Microsoft Windows 8.1 and Internet Explorer 11, known limitations from v6.1.0 removed. - Support for Microsoft Windows Server 2012 R2. - General support for Buypass BEID cards (not restricted by license). - Changed CSP parameter KeepSessionAlive to specify list of applications. - Note: Support for Microsoft Windows XP and Internet Explorer 7 will be ended 2014-04-08. 6.1.0 (Released 2013-11-18) - Security enhancements. - Support for Microsoft Windows 8.1 and Internet Explorer 11, see Known Limitations. - Support for OS X 10.9 (Mavericks), see Known Issues. - Enhanced LRA support (Local RA). - New CSP signature procedure from Microsoft, see Known Issues regarding Windows XP and Windows Server 2003. - Added support for info label names that have too many characters to be supported by PKCS#11. - Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Mozilla Firefox on OS X for security reasons, see Known Limitations. 6.0.3 (Released 2013-09-16) - Security updates. - Added support for Entrust container format using TaskbarAccessMode with PKCS11. - Increased NetControl timeout before terminate (10 seconds) and added trace entry when process is terminated. 6.0.2 (Released 2013-07-10) - Added support for expand of certificate variables to report logon. - Fixed issue with possibility to krasch the plugin. - Removed plugin command Invoke("Run"). 6.0.1 (Released 2013-06-13) - Updated plugin parameters, may configure to limit access or block access for some/all servers and applications. Will solve integrity issue with possibility for untrusted web sites to read certificate information via plugin without notification to user. 6.0.0 (Released 2013-04-30) - New User and installation GUIs (old GUI still available if wanted). - Support to move global configuration file to Registry and to configure via GPO . - Support for all SHA-2 algorithms (SHA-224/256/384/512). - Support for Microsoft Windows 8. - Support for Microsoft Windows Server 2012. - Support for Google Chrome v26.0 (earlier only support for soft tokens) - Support for additional smart cards: -- EVRY Multi EID -- Net iD Live .NET -- PIV cards (read only support) -- Skatteverkets ID-kort v2 (Swedish Tax Authorities IAS-ECC card with Citizen IDs) -- Taglio card -- VRK (Finnish Healtcare smart card) -- Customer specific card 5.7.1 (Released 2013-05-31) Customer specific release 5.7.0 (Released 2013-03-20) Customer specific release 5.6.3 (Released 2012-08-13) - Fixed problem with SSO service shutting down at smart card reader connection failure. 5.6.2 (Released 2012-03-15) - Added support for soft certificates with Google Chrome version 16.0, current version supported by Google during release tests. The support is valid for Microsoft OS and Mac OS X. - Support for Mozilla Firefox 11.0, current version supported by Mozilla during release tests. - Support for changed behaviour in Safari 5.1 regarding Tokend. 5.6.1 (Released 2011-11-10) - Added trace menu for task bar popup menu. - CSP default certificate will be returned as first container for enum containers. - Added support Oberthur special data object for Oberthur minidriver. - Support for Mozilla Firefox 8.0, current version supported by Mozilla during release tests. - Support for TrueCrypt 7.1. 5.6.0 (Released 2011-09-05) - Support for additional smart cards: -- Oberthur Cosmo v7.0 IAS ECC -- HID ActiveCard v1 -- Gemalto IAS ECC (limited support) - Verified smart card profiles: -- Gemalto Instant EID IP9 -- Gemalto Tjanstekort EID -- FK EID IP5b - Additional functionality for Credential Provider, for example PIN Provider and Enrollment Provider. - Additional functionality for Command line tool. - MiniDriver v5/v6 certification tests successfully completed with .NET smart card - All old Net iD Enterprise licenses has been blocked (licenses starting with 'W'). All new standard licenses will start with 'N' and all new demo licenses will start with 'D'. - Added support for Citrix new logon/logoff component. - Support for Mozilla Firefox 6.0, current version supported by Mozilla during release tests. 5.5.1 (Released 2011-04-15) - Support for Microsoft Internet Explorer 9 - Support for Mozilla Firefox v4.0 - Support for Net iD Card Portal v4.0. - Added C_UnblockPIN for PKCS#11 library. 5.5.0 (Released 2011-02-07) - Support for Gemalto .Net Smart Cards and Microsoft Minidrivers version 4 to 7. - Added Certificate Provider for customized certificate selection dialog. - Added command line tool for change/unlock pin. - Updated support for reading/writing iClassID cards. - Added reading of Mifare and iclassID for Watch/Connector. - Added support for dual uninstallation (32bit/64bit). Using dual installation package to uninstall will uninstall both packages. - Added language support for Credential/Certificate Provider. - Updated SSO push logon information. - Support for Safari 5 on Mac OS X 10.6. 5.4.1 (Released 2010-10-05) -Enhanced Tokend support for MacOSX regarding AD login -Enhanced Credential Provider with features like unblockPIN, card attempts left -Updated Net iD Local Webadministration 5.4.0 (Released 2010-07-01) -New feature: WLD (Workstation Lock Down smart card shell) -New feature: Credential Provider -Added possiblity to configure default certificate for CSP -Tokend support for MacOSX to handle smart card logon -Web based Net iD Administration -New feature: MiFare -Updated Watch 5.3 (Released 2010-02-08) -Support for Microsoft VPN client (Windows 7) -Support for RFID read/write -New local administration portal for Windows/Linux/MacOSX -NetControl close for Firefox 3, Internet Explorer 8 -Added card token label to dynamic strings. May change default names to more user friendly names, i.e. "Instant IP2" > "Employee card". -New advanced dialog for certificate selection on Windows -Soft token support for Safari on MacOSX -Added Apple keychain as new soft token format -Added PIN expire policy -Added PIN history policy -New component - Net iD Wrapper GINA 5.2 (Released 2009-09-01) -Windows 7 support -Windows Server 2008 R2 support -New version of Net iD Transport supporting file based certificates stored on smart cards -New version of Net iD Connector supporting several thin client models -New version of Net iD Watch with a number of new features -New version of Net iD Minidriver supporting additional smart card models -Performance optimization and several other improvements, e.g. new encryption standards 5.1 (Released 2009-03-02) -Updated performance when using smart card logon 5.0 (Released 2008-12-16) -Default package will install all Net iD system files in %programfiles%\Net iD -Changed configuration extension: ini => cfg 4.9 -Net iD Crypt support for Windows Vista -Updated performance in Net iD. Enable faster logon with native and Java cards -Universal build for Mac OS X (PPC and Intel) 4.8 -Added support for 64-bit operating system (Linux, Mac OS X, Windows) -Added support for Windows Server 2008 4.7 -Added support for Mac OS X 10.5 -Added support for Ubuntu 7.10 4.6 -Changed copyright to SecMaker AB -New smart card support -Full Windows Vista support 4.5 -Added support for Setec SetCosXpresso -Siemens CardOS initialize support 4.4 -Updated for Windows Vista -Updated for Microsoft Windows Mobile 5/Windows CE 5.0 4.3 -Added following languages: Turkish -License information for all languages 4.2 -New language support -Error message when using smart card logon -Added support for new versions of Windows, Linux and Mac OS X 4.1 -Updated Eventlog component -Changed enumerate container behavior for CSP to avoid Internet Explorer bug -Updated config file -Changed "Svenska (SAMSET)" button names for sign/authenticate on OS X and Windows -Update support for Netscape/Mozilla/FireFox -Updated Net iD plugin for webbadministration (import/export tokens) -Added new functionality for Signer plugin -Updated support in RDP Release Information ---------------------------------------------------------------------------------------- 6.4.1.26: - Changed install location for OS X (/usr/lib => /usr/local/lib) - Changed default install location for OS X (/usr/lib => /usr/local/lib) - Changed default install location för OS X Tokend. - Fixed install pkcs#11 for new OS X location. - Fixed card detect for Siemens CardOS 4.01. - Fixed GUI problem for Ubuntu with an initial delay for all dialoges. - Reintroduced file-open dialog for plugin (Windows-only). 6.4.0.24: - Added support Oberthur IAS ECC with v2.0 applet. - Added support for Estonian EID cards (EstEID v1.0, v3.0, v3.5.2). - Added Windows 10 GUID to application manifest. - Added reading of GPO. - Added read-only RSA support for Atos CardOS 5.0. - Added Signature Creation Service (SCS) for Windows/Linux/OS X. -- Added support for pre-digested data for Signer plugin. -- Added Signer plugin parameter AuthorityKeyId for certificate select during signature creation. -- Added CertMover parameter General>ExtraService. A list of services which will be started/stopped by CertMover. -- Extended SCS protocol with selector 'subjects'. -- Updated SCS: selector "validate" ignored and parameter "hashAlgorithm" changed default value from none to SHA-256. -- Fixed SCS protocol 1.0.1. - Added token flags for plugin EnumProperty("Token"). - Added folder shell extension. - Added allowed plugin parameter "ConfigLocal:Reset:*". - Added pin block for soft token. - Updated NetControl may handle all logon applications. - Rewritten card cache completely. Will always use SSO cache if available and will handle no disk access (simulate SmartCard>NoDiskCache=1). - Skipped modifiable check for CSP before delete of key pair. - Verified Support for OS X 10.11 (El Capitan), see Known Issues. - Uses new code signing certificate for Windows. - Removed "Svenska SAMSET" as own "language", customized texts handled through dynamic strings from now on. - Fixed pin attempts for BeID cards when used by Credential Provider. - Fixed PIN Provider for Windows 10. - Fixed exit windows functionality when Ctrl-Alt-Del desktop active. - Fixed support for specifying card version for dynamic ATR:s. - Fixed detect Gemalto IDPrime SIS, all odd 4.X will behave as 4.1 and all even 4.X will behave as 4.0. - Fixed image size parameter for Credential Provider (CP), will only affect .ico files. - Fixed blocking of other CP even for unsupported scenario PLAP. - Fixed new window for Web component. - Fixed dual upgrade with remove old install. - Fixed remove old install during installation. - Fixed problem with system modal dialog for Net iD Web when called from CertMover. - Fixed PUK error message for unlock with CP. - Fixed error message using empty puk for unlock pin with old GUI. - Fixed parameter "-url" for LRA/Web components. - Fixed dynamic menu for explorer menu. - Fixed load of correct action (unlock/enroll) after card status is changed. - Fixed release of smart card reader after unlock pin with challenge response for CP. - Fixed key search for CSP after generate key pair when reusing existing key pair. - Fixed delete registry keys using registry file import. - Fixed new GUI for encrypt/decrypt using shell extension. - Fixed clear all PINs will only affect current session. - Fixed block of shell-extension for Win8+ metro-mode. 6.3.0.50: - New GUI for Windows, OS X and Ubuntu. - Support for OS X 10.10. - Support for Gemalto IDPrime Instant IP10 card (only 2048 bits RSA keys supported, see Known Limitations). - Support for Gemalto IDPrime SIS EID IP1 card (only 2048 bits RSA keys supported, see Known Limitations). - Support for Oberthur IAS-ECC v1.0.1 card with v1.2 applet (only applet v1.3 supported earlier). - Support for Gemalto Tjanstekort EID card with new chip. - Support for Telia EID IP5 card with new chip. - Finnish language has been reviewed. - Support for Microsoft Windows Server 2003 ended. - Support for Microsoft Internet Explorer 8 ended. - General support for Microsoft Windows Vista ended (only supported via separate agreement). - General Support for Microsoft Internet Explorer 9 ended (only supported via separate agreement). - Added single-sign-on for soft tokens, use parameters SoftToken>SingleSignOnEnable and SoftToken>SingleSignOnDisable to control the behavior. Default off. - Added parameter DenyIssuers/AcceptIssuers for MiniDriver, same behavior as CSP. - Added thumbprint when listing certificates for -command. - Added handling of Credential/Certificate/PIN Provider for trace parse. - Added support of delete Registry entries for import registry file. - Added DenyIssuers/AcceptIssuers parameter for Credential Provider, same format as corresponding parameters for CertMover. - Added DefaultIssuers parameter för Credential Provider. Will set first matching certificate as default, will use same parameter format as DenyIssuers/AcceptIssuers parameters. - Added set pin expired for -command. - Added iid.exe -updateusermode to handle install of user mode plugin/pkcs11. - Added CertMover links action: TokenEvent, TokenPresent, TokenNotPresent. - Added verify of code signing signature for setup file used by plugin upgrade on Windows (WinVerifyTrust). Will also require SecMaker AB as signing organisation. - Added start of administration password dialog for Linux uninstallation when needed, i.e. running without sudo for all-user installation. - Added parameter for session token Pkcs11>SessionToken=0/1. - Added parameter to sort certificates for CSP. - Added WebApp for Linux (iidxapp). - Added SM Keys (Gemalto) in default configuration. - Added plugin operation Invoke('Action') for custom link action. - Added support for URL protocol with Web App on Windows. - Added new parameter to block RSA "raw" algorithm for cards supporting padded algorithms. - Added support for token/pin labels bigger than 32 characters. - Added plugin function SetLicense. Will update current license value using the parameters LicenseName/LicenseCompany/License. Will update global configuration if trace server is available (else local configuration). - Added plugin parameter MachineInfo, to return machine system name and unique id. Will return same information as Command Utility. - Added setting of file content using SetProperty("Data") fo plugin operation ResetToken. - Import of certificates with AdmUtil using BEGIN/END tags for base64 encoded value. - Added report success for PIN Provider using "Report CREDUI" section. - Reintroduced "BMP(Default)" parameter for Certificate Provider. - Enhanced trace parse for multi-threaded trace file. - Changed behavior. All Credential Provider parameters are handled by version or language. - Changed Pkcs11>SessionToken to an application list parameter. May still contain 0/1 as earlier or a list of applications which will have parameter enabled (=1). - Changed behavior. CSP will return NTE_SILENT_CONTEXT instead of NTE_BAD_KEY when CRYPT_SILENT is specified and PIN dialog is needed. - Changed behavior for plugin command ResetUserData. Will keep local configuration file, but remove sections SoftToken and Temp. - Changed behavior. CA certificate expire will load custom action CaCertificateExpire instead of show message dialog. - Changed behavior. PC/SC list readers will reuse same context, instead of create a new each call. - Changed behavior. Plugin will avoid loading of internal components while setting properties, only load for 'ActiveSlot'. This behavior will allow the use of InvokeThread even for initial loading of plugin (avoid hanging of javascript). - Changed behavior. CSP call CryptGetProvParam with parameter PP_USER_CERTSTORE will also register certificates to MY store. - CertMover will register ECC certificates on CNG instead of CSP when using PKCS11 as read access mode. - Changed behavior. Message for certificate license invalid removed, instead will any action be performed using Custom Action > TokenInvalid. - Watch configuration is only read from global configuration. - License invalid message was earlier always About dialog, may now perform any action using Custom Action > LicenseInvalid, default action is to show About dialog. - Updated behavior for Credential Provider. Will always check Enable=0/1 when checking for configuration section existence, still default 1. - Fixed reset of smart card without update counter. - Fixed pin pad support. - Fixed generate PIN2 private keys for IP8. - Fixed support using T=1 protocol for key operations Buypass BEID cards. - Fixed upgrade of rebranded Net iD Enterprise. - Fixed support pin pad for Credential Provider. - Fixed support ECC keys for plugin enum keys. - Fixed login status for create Keychain token at logon. - Fixed signature with algorithm SSL-SHAMD5 for Gemalto applet 3.X. - Fixed finnish language strings. - Fixed dialog box problem for Linux single-user install. - Fixed another way to handle Microsoft Terminal Server bug with CSP. - Fixed hide of some parameters for trace. - Fixed configure of ports for AllowedServers. - Fixed cache attempts counter for dual PIN1 smart cards. - Fixed language support for LRA, customer specific functionality. - Fixed applyconfig for dual installation with old AdmUtil. - Fixed clear of pin status for .Net cards after pin change. - Fixed storage of password history in private box. - Fixed custom links with non-ascii characters. - Fixed install silent as system. - Fixed disable trace will stop without restart of process. 6.1.2.25: - Added ATR for Gemalto Instant EID IP9 (SetCosXpresso IP9) with new chip. - Added %thumbprint% and %pin% as variables for report logon. - Added support for Citrix FastConnect API v2 in custom component (separately priced). - Fixed plugin calls blocked for Crypt extension when used from CertMover. - Fixed select of default AID for initiate of secure messaging without earlier select of AID. - Fixed set of parameter Server for plugin when used by Net iD Access. - Fixed check of parameter exportable when importing PKCS#12 files via plugin, same behavior as generate key pair. - Fixed adding of soft token to Keychain Access for OS X 10.9. - Fixed display of fix version (third number) when using OS X and Linux, i.e. Command Utility. - Fixed reading of card version for GemXpresso 3.01. - Fixed utf-8 characters for Label/Manufacturer when updating via InitToken. 6.1.1.21: - Added trace of system info when trace enabled. - Added version name for Windows 8.1 and Windows 2012 R2 to trace. - Added requirement for non-empty PIN using old GUI. - Added loading of CSP when using Credential Provider to avoid no valid certificate failure. - Added check of plugin name argument (1-256 ascii characters). - Added check for WTS session id for PC/SC context. - Limited plugin name length for SetProperty/EnumProperty/GetProperty/Invoke to 256 characters. - Changed CSP parameter KeepSessionAlive to specify list of applications. - Changed to allow much more data for parameter Plugin>Allowed. - Changed so OS X Keychain tokens will get same token number between reinitialize. - Changed so OS X Keychain tokens will not generate events when Keychain file is updated, since OS X is updating the file on each access. - Fixed read of correct license information for setup with GUI v6. - Fixed problem with loading of GUI v6 in OS X. - Fixed update counter when reinsert former empty card (aka no valid certificate). - Fixed reading of extra card information for Certificate Provider. - Fixed Minidriver pin verify to return pin incorrect for empty pin value instead of parameter invalid. - Fixed blocked pkcs#11 search for invalid license. - Removed Buypass BEID card license restriction (allowed for all). 6.1.0.12: - Support for Microsoft Windows 8.1 and Internet Explorer 11, see Known Limitations. - Support for OS X 10.9 (Mavericks), see Known Issues. - Removed Plugin parameter SetProperty("Trace") for security reasons. - Added access control for all plugin functions/variables. - Added sanity check for Plugin parameter GetProperty("TokenData"), will require soft token to be stored at default location with default file extension. - Added DevStudio linker options ASLR and DEP. - Added converting of PKCS#11 token info labels via dynamic strings. - Separated LRA Enroll/Renew config: EnrollParameters/EnrollRequestURL/EnrollResponseURL, RenewParameters/RenewRequestURL/RenewResponseURL. - Moved CredProv LRA parameters to LRA section. - New CSP signature procedure, see Known Issues regarding Windows XP and Windows Server 2003. - Updated Taskbar "Custom Links", will only read from global configuration. - Updated CSP signature to be done without Microsoft involvment, according to new Microsoft processes. - Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Mozilla Firefox on OS X for security reasons, see Known Limitations. - Fixed converting of PKCS#11 token info labels via dynamic strings. - Fixed generation of PIN2 key which requires PIN1 from SSO cache. - Fixed open of LRA menu for CertMover. 6.0.3.52: - Added support for Entrust container format using TaskbarAccessMode with PKCS11. - Increased NetControl timeout before terminate (10 seconds) and added trace entry when process is terminated. - Fixed problem with Entrust container name for non-repudiation certificates. - Fixed new GUI blocked by new security requirements for plugin. - Fixed trace server Windows logoff problem. - Fixed CSP auto-release problem. - Fixed abort for PIN dialog in new process. - Fixed start of GUI via INTERNAL event. 6.0.2.49: - Added support for expand of certificate variables to report logon. - Added support for new plugin folder for Firefox browser (Windows). - Fixed supervisor kill of smart card polling thread during shutdown. - Fixed exit windows for GINA locked screen. - Fixed plugin krasch, and Removed plugin command Invoke("Run"). - Fixed SSO problem with CSP. - Fixed write of pin update counter for .NET card. 6.0.1.47: - Updated plugin AllowedServer parameter, may configure to limit access or block access for some/all servers. - Added parameter Plugin>Allowed to specify a list of applications that may use the plugin. Specify with access mode: "iid.exe,1;good.exe,2;bad.exe,0". Same mode values as AllowedServers, but limited (=3) not available. - Changed to No as default button for confirm dialog on Windows (same as Linux/MacOSX). - Updated behavior, CertMover pause will also block plugin access. - Updated behavior, disable CSP will also affect MD for CertMover. - Updated behavior, FriendlyName=0 will set empty friendly name. - Updated card support Gemalto IDPrime MD applet. - Fixed license check based on certificate present, i.e. SITHS. - Fixed empty friendly name for CertMover, will use certificate label. - Fixed dynamic strings for Linux/OS X. - Fixed AdmUtil crash when using UNC path for user profile. - Fixed Registry naming issue when adding smart cards for Minidriver. - Fixed problem with loading of cmapfile for Minidriver after PIN change via Microsoft utilities. - Fixed problem when CertMover reset SSO cache for all users in TS session. - Fixed access blocked mode (=0) for parameter Plugin>Allowed 6.0.0.41: - Added possibilty to add extra startup componets for Windows Run. - Added possiblity to use Secure Desktop for PIN dialog on Windows. - Updated behavior, will always use Secure Desktop for Exit Windows dialog. - Setup packages may be installed in installation folder. For example to include uninstall registry file. - Installation of registry files will always be executed as last action during setup. Files named 'iidxi*.reg' will be executed during install. Files named 'iidxu*.reg' will be executed during uninstall. - Added auto sorting of configuration file sections at merge. - Added support for certificate provider in Win8. - Fixed CredProv for Windows 8. - Added support for all SHA-2 algorithms (SHA-224/256/384/512), SHA-256 was available earlier. - Added Initial support Mifare logon for Credential Provider. - Added pin pad support for plugin. - Added card update check before any update. At card update will card be reloaded before create objects and all destroy/update of objects are stopped. - Added support for key generation on Evry/CryptoTech JCOP smart card. - Added initialize token for ActivCard. or updates. - Added PIV smart card support. Key and certificate management will require admin key and special key id handling. Card will also require special data objects for conformance, standard card management will not work. - Added Taglio smart card support. - Added support PSO-Digital Signature for Oberthur IAS-ECC. - Fixed install script for linux/macos. - Added automatic installation of Netscape plugin for Chrome browser for Windows. - Fixed report database time format (UTC). - Added parameter Plugin>Disable. A list of applications that will not be able to create plugin ActiveX object, default empty. - Added "script" action for Watch insert/remove event. Same action as "open", but will run hidden. - Added parameter General>CheckEnroll to enable certificate enrollment when any certificate is missing (or card empty). Value format: ",,". - Added parameter Custom Action>WarningCertificateEnroll with same behavior as renewal and expire action, but used for enrollment check above. - Added Trace>UseLocalTime=0/1 (default 0) parameter to enable use of local system time in trace for trace server instead of time since trace server started. - Added parameter MiniDriver>UseCritical=2 for same functionality as CSP for better trace parsing. Only one thread at time may access MiniDriver. - Added variable %scenario% for custom Credential Provider presentation info. - Added dynamic loading correct icon size for Credential Provider when using icon as image: 48x48px for small (CREDUI), 256x256 for big (all other). - Added plugin property 'Compact' flag to use Name instead of OID for in subject/issuer field for enum property 'CertificateEx' and 'Certificate'. - Changed new GUI dialog behavior. Earlier all dialogs was system modal, not any more. Use parameter '-system' for dialogs that should be system modal. - Web application aka iidxweb.exe now uses same source code as Web dialog, so all functionality added by Web dialog is also available for Web application. - Added variable %expire% for custom certificate presentation info. - Added parameter Enable for all Credential Providers. Earlier was enable/disable based on configuration available/missing. Will allow setting of configuration and still be inactive. - Added "-application" as extra parameter for dialog, will never start new process. - Added "-timeout" as extra parameter for dialog, will use supplied value instead of timeout value for all dialogs (Dialog>Timeout). - Changed default value for Dialog>Timeout to 600 (10 minutes). - Added certificate expired/renewal for main application, will enable custom action for plugin. - Added CredentialProvider>BlockGUID for each provider type to add a list of providers that should be blocked beside the wrapped one. - Added Links Action>CertificateExpired/CertificateRenew as custom action. - Update Dialog>SecureDesktop parameter to include darken percent for background screen. Will be stored in second byte: 0x??01. Accepted values are 0-100 or 255, so 0x0001 to 0x6401 or 0xFF01, value 0 will specify default (0x43 => 67%). 255 will disable background image (as Windows 8). - Credential provider may wrap any provider instead of default Microsoft provider via configuration WrappedGuid for each provider type. - Added parameter for default PUK reference for pkcs#15 smart cards. - Added parameter SmartCardReader>SingleConnection=2 to open single global connection towards PC/SC, used for testing bad smart card reader drivers. - Added init token support in command utility for soft tokens, will remove the soft token content. Usable for testing on Mac OS X. - Added parameter Administration>View to hide/show elements in new Admin Utility. - Added parameter Dialog>BrowserVersion to specify minimum supported browser version for new GUI, default 8. - Added pin type and pin policy for token info object returned by plugin. - Added property 'ProtectedMode' for plugin, will return true/false dependning on protected mode status. - Added invoke 'ResetUser' command for plugin, will delete and recreate Net iD user application data folder and also reset trace file. Eventual virtualized (sandbox) folder will also be removed. Note, all Net iD user data will be lost and this operation will require not running in protected mode (sandbox). - Added invoke 'ActivateTrace' and 'DisableTrace' command for plugin, will activate or disable user trace. Note, will handle server trace when available. - Added client certificate support for internal http/ftp client. - Added parameter SoftToken>Events=0/1/2 to be able to detect soft token removal - Added sort configuration command for sorting of configuration sections and remove of unused sections for different platforms. - Added connected configuration for static configuration. For example a static configuration may be overwritten by configuration in Registry (GPO). - Added support for AllowedServers check for Firefox and Safari (Netscape plugin), earlier only Internet Explorer (ActiveX). - Added possibility to move global configuration file to Registry. - Added support read/write with both A/B keys for Mifare. - Added parameter Pkcs11>SeparateThreadSearch=0/1, to allow same session handle to be used for search in different threads simultaneously. - Added parameter SmartCard>AutoUpdateKeyId=0/1, to allow configure of auto update of connected objects when one is updated. Earlier behavior was always auto update, new default behavior is never auto update. - Added support for username/password stored on smart card for Credential Provider [OME-314473]. - Added new trace feature, may use SSO2 server as trace server. All traces will be sent to SSO2 server and written with synchronized time, will also avoid problemd with two processes trying to write in the same time. Use "server" as name instead of full path to a file. Use Trace>Server to specify location of trace file. - Added new CertMover. Will access CSPs to get certificates instead of reading from PKCS11. Will add three mods for detecting token insert/remove events: poll, pcsc or pkcs11. Mode poll will check each CSP once a minute for certificate removal/insertion. Mode pcsc will check PC/SC for reader/card insert/remove. Mode pkcs11 will use old behavior accessing PKCS11. - Added new CertMover behavior. May be used as mover for any CSP: CSP>ExtraList. - Added new CertMover taskbar menu options: Certificate list (0x0200). - Added support for loading .ico files as Credential Provider bitmaps (size 256x256). - Added argument -clearcache for MiniDriver to clear Microsoft smart card cache. - Added support for CSP provider parameter PP_SMARTCARD_READER. - Added certificate variables for all Watch commands. - Changed behavior for pkcs#11 C_WaitForSlotEvent, will also generate events for smart card reader insert/remove, earlier smart card insert/remove and smart card updates. - Removed parameter MiniDriver>DisableFileCache, since it would have affected new CertMover. - Updated plugin to handle new Admin Utiltiy features on Mac OS X. 'Only open externally certificate viewer' not supported, since there is not externally certificate viewer available. - Updated AdmUtil and CertMover to enable/disable "server" trace when available, instead of only local trace. - Updated support for CSP provider parameter PP_SMARTCARD_GUID, will return same information as MS Base SmartCard CSP with our Minidriver. 5.7.1.14: - Fixed dynamic strings for Linux/MacOSX. - Updated plugin AllowedServer parameter, may configure to limit access or block access for some/all servers. 5.7.0.12: - Added support PSO-Digital Signature for Oberthur IAS-ECC. - Support for additional smart card: Skatteverkets ID-kort v2 (Swedish Tax Authorities updated ID card with Citizen IDs) 5.6.3.64: - Fixed problem with SSO service shutting down at smart card reader connection failure. 5.6.2.62: - Updated install PKCS#11 for Firefox. - Fixed pin unblock for ActivId card. - Fixed problem with ReloadOnError parameter. - Fixed NetControl search browser window problem, when application using browser control is running. - Fixed search for matching key pairs for PKCS#11 when no new key pairs available, will first search with all attributes and second search after modifibale attribute removed. - Fixed milliseconds for trace on Linux/MacOSX. - Added parameter -clear to -movecertificates argument, to remove all CSP certificates from CryptoAPI store before move. - Added automatic installation of Netscape plugin for all-user Chrome browser for Windows. - Changed refresh behavior, will not reload PC/SC connection any longer. - Fixed problem with CSP support for Nexus Personal Entrust container format. - Added automatic installation of Netscape plugin for single-user Chrome browser for Windows. - Added support for search by object in Tokend, beside search for object record. This is needed to support Safari 5.1. - Added parameter [Admin Utility]>UseService=-1 to disable installation of CertMover as background process (=0) or Service (=1). - Fixed problem with Citrix SSO component using cards with multiple certificates. - Fixed container mapping for CSP when multiple card readers used. - Fixed long pin (more than 8 bytes) with ActivId cards. - Fixed pin policy only digits. - Fixed ignore logoff command while disconnected for GINA. - Fixed connect after disconnect for GINA. - Fixed CA certificate install for CertMover, will only display single dialog even at failure. - Increased trace maximum size before clear to 100MB, check each hour. - Added parameter Smart Card>ObjectSortMode=0/1/2 (0=none/1=day/2=second) for sorting of objects stored on a smart card. Will affect default certificate behavior. - Fixed issue with old ActivId cards. - Fixed support T=1 protocol for ActiveId card profile. - Fixed event list order issue. 5.6.1.53: - Fixed problem with PIN2 cache for card profile "Tjanstekort EID". - Fixed close of polling thread. - Support for TrueCrypt 7.1. - Fixed plugin reinitialize problem for Max OS X 10.5. - Fixed Net iD application loading problem for Mac OS X 10.5. - Fixed loading of extened pkcs#11 functions when plugin is loaded after pkcs#11 for Firefox on Mac OS X/Linux. - Fixed behavior for MiniDriver. Will reload smart card when receive unknown vendor specific value from Microsoft Base CSP. - Fixed support of internal read/write Mifare, will not require external library. - Fixed certificate enroll for card profile "Tjanstekort EID". - May start several instances of iidxweb.exe. - Fixed problem with adding objects to public box. - Added trace menu for task bar popup menu. - Fixed taskbar menu icon for about entry when running Win7 classic theme. - CSP default certificate will be returned as first container for enum containers. - CSP will not enumerate two containers with same certificates for default containers any longer. - Fixed support DetectNewSlot=1 for SSO. - Exit Windows dialogue aborted when Windows already is locked. - Fixed logoff background for GINA. - Fixed abort close for ESC button for Watch exit windows dialog. - Fixed argument for extended call for executable. - Fixed add entry to EF(UnusedSPace) for private keys stored as a file object. - Added support Oberthur special data object for Oberthur minidriver. - Fixed GINA problem. 5.6.0.44: - Fixed support NT4 credential name GINA logoff at unlock. - Fixed card expire warning for multiple CA. - Added parameters Smart Card>Temporary and Smart Card>TemporaryValidity to identify temporary cards. Those cards will have special handling for enroll provider. - Updated CSP write certificate to handle write PIN2 certificates for Gemalto Classic Applet. Will not map writing to PIN1, as all other multiple PIN cards. - Fixed delete of read-only certificates for PKCS15 profile. - Fixed automatic create of update counter at login for PKCS15 profile. - Fixed CertMover refresh after manual remove of certificates. - Fixed plugin write of bigger internal private/public data, limit 256 bytes earlier 64 bytes. - Fixed PIN2 certificate mapping. - Fixed WLan soft token support for Windows 7 64-bit. - Fixed sorting of certificates (valid from) from only day to both day and time. - Added list keys for Command Utility. - Fixed problem with Minidriver register of multiple certificates for CryptoAPI. - Minidriver will register certificates in CryptoAPI depending in configuration parameter MiniDriver>MoveCertificates=0/1. - Credential/PIN Provider>Autologon may be disabled for a list of applications, default "lsass.exe;logonui.exe". - Fixed performance for Minidriver. - Fixed support Citrix new logon/logoff component. - Fixed removal of certificate for external CSP. - Parameter CSP>ReplaceCertificate may also be used to replace PIN2 certificates. - Old certificate will be removed when writing certificate using key id as container name for CSP. - Fixed license block based on License>Issuers. Only certificates with specified issuer available in list will be shown and usable. - Fixed problem with update of EF(UnusedSpace) for PKCS#15 profile. - Fixed Minidriver support for Buypass card. - Enhanced performance for reading Buypass cards. Will not read public keys when certificate is available in pocket. Will update file size to correct modulus size when reading public key from private key file. - Enhanced performance for .Net smart card. - Fixed running logoff script for GINA. - Removed plugin default message, since Internet Explorer will no accept zero size plugin. - Credential Provider will clear PIN entry field at failure. - Increased performance for GINA. - Added PIN unlock with challenge/response for Credential/PIN provider. Require card support (currently implemented for .NET smart card). - Added delete of subtree for Registry delete command utility. - Added Enroll Provider, to enroll certificates before logon for use with LRA component. - Updated IAS ECC for Gemalto, may generate key pair and write private and public objects for ECC Generic PKI application. May not delete key pairs and may not update ECC eID application. - Updated plugin behavior. Login will logout when enter bad pin for already logged on. - Added C_SignUpdate/C_SignFinal/C_VerifyUpdate/C_VerifyFinal for PKCS#11 library. - All old licenses blocked, starting with 'W'. All new standard license will start with 'N' and all new demo licenses will start with 'D'. - Added possibility to load static global configuration to each component. - Added possibility to load static license information to binary. - Fixed support OAEP padding Gemalto Classic v3.11. - Added %keyusage% as image selection parameter for Credential/Certificate provider. - Added Watch will act only on smart card used during logon. - Added support for RSA "raw" for SetCOS 4.4 (IP2/IP5/IP8). - Added PIN Provider for customized Microsoft PIN dialog in same way as Credential Provider. Enabled when "PIN Provider" section is available in configuration. - Added Autologon=0/1 for both PIN and Credential Provider. Will use stored PIN from SSO2 when available. - Changed default label for certificate to default friendly name. Will be used by PKCS#11 when label missing on card. - Added list certificate for Command Utility. - Initial support ActivIdentity v1 card. - Fixed allow single language for installation. - MiniDriver v5/v6 certify test successful with .NET smart card. - Updated support for Oberthur IAS ECC, for example: -- set access condition when creating files for wireless access and import 2048 bit keys. -- Fixed interopability with Oberthur minidriver for Oberthur IAS ECC card, will use same update counter. -- Added support to change SO key for Oberthur IAS ECC. - Added Mozilla Thunderbird to list of applications for auto install of our PKCS#11 library. - Added static zlib compress library for PKCS#11 library (win32/win64). - Updated support Oberthur IAS ECC. - Fixed SHA-256 certificate enroll with MiniDriver. - Successful run of Entrust Entelligence CSP Test Utility with .Net smart card. 5.5.1.29: - Fixed problem with update of PKCS#15 data objects. - Fixed problem with show bitmap for Credential Provider in certificate select dialog. - Fixed problem with minidriver when loaded after plugin. - Added C_UnblockPIN for PKCS#11 library. - Fixed problem reading PIN protected PrKDF for RPS card. - Fixed problem with long reader names for minidriver. - Fixed problem with certificate enroll for minidriver. - Fixed DER encode integer problem when negative number. - Fixed plugin Logout for SO user. - Fixed plugin Reset for SO user. - Fixed plugin InitToken, section DELETE>erase=1 always available. 5.5.0.27: - Disabled duplicate context for CSP. - Added Gemalto default test key for secure messaging. - Fixed read file problem GemSAFE v1/v2. - Fixed get pin attempts left for RPS card. - Fixed read ISO7816-15 PrKDF with private access. - Fixed .Net smart card signature pin enrollment for second key. - Added MiniDriver parameter DisablePinCache=0/1 and DisableFileCache=0/1 to avoid Microsoft caching problem. Both have default value 0 (cache active). - Updated SSO push logon information. - Fixed support CRYPT_NOHASHOID for CryptVerifySignature in CSP. - Fixed custom card name for CSP/MiniDriver. Add entry NamePrefix for respective component. - Fixed problem with secondary certificates for MiniDriver. - Fixed problem with secondary PIN for MiniDriver. - Fixed problem with enroll via MMC, will not delete "default" keys. - Fixed problem for minidriver with too long key id. - Fixed PIN pad problem with BCD coding (Nordea VISA card). - Added language support for Credential/Certificate Provider. Prefix title, subtitle, textabove or textbelow with language short name to get different strings depending on langauage. - Updated handling of multiple PINs for PKCS#15 profile. - Fixed detect card immediately after detect new reader. - Fixed Watch shutdown immediately if no event commands available. - Fixed win32/win64 dual service support. - Utf8 and unicode support rewritten for Linux/MacOSX. - Updated support for reading/writing IClassID cards. - Fixed configuration parameter [SingleSignOn]>Disable will also disable SSO2, only SSO earlier. - Fixed limitation in configuration file, will handle parsing of bad encoded data object. - Added command line tool for change/unlock pin. - Added support for dual uninstall. Will extract and run silent uninstall for all packages included in the installation package. - Added support Gemalto .NET smart card. - Added support loading zlib library for compression of certificate for interopability with Gemalto .NET smart card minidriver. Will always try to load library zlib.dll/libzlib.so/libzlib.dylib, but file to load may be configured using Compress>Library. - Added support for using hexadecimal values for PIN/PUK. Needed when PUK value is not a string, i.e. 2DES key. All values beginning with '0x' and containing only hexadecimal digits '0'-'9' or 'A'-'F' will be converted. - Added support for dual uninstallation. Using dual installation package to uninstall will uninstall both packages. - Added configuration parameter [CredentialProvider]>BMP(InsertCard) to specify image for insert card prompt. - Changed behavior, will always set root CA certificates as trusted for PKCS11 library. The result is root CA certificates may be trusted by Firefox. - Added reading of mifare and iclassid for Watch/Connector. - Added Certificate Provider for customized certificate selection dialog. - Added Change Credential Provider for customized Ctrl-Alt-Del change PIN dialog. 5.4.1.34: - Fixed uninstall local configuration for Linux/MacOSX. - Added possiblity for install pkcs11 in Firefox profiles for MacOSX/Linux. - Fixed certificate select dialog for MacOSX. - Fixed show pin attempts for SSO2. - Added ATR for Buypass card. - Added configuration parameter to limit the available certificates. Set allowed issuers with [License] > Issuers. All issuers allowed if nothing specified. - Added [Smart Card] > PinType = 4, for only digits allowed. Will be used by card profiles not storing pin information on card, i.e. Buypass. - Enhanced support for sending SSO username/password stored on card to different windows. Will handle edit boxes with any class name as long as test "edit" is part of name. Will also send "enter" to main window if OK button not found. - Updated Setec SetCOS 4.4.1 card, Instant EID IP2 profile, to erase key files before generating new key pairs. - CheckSoftExpire introduced, same behavior as CheckCardExpire, but for soft tokens instead of smart cards. - Possibility to limit the number of supported languages. - Property InvokeWait introduced for plugin, tells number of seconds plugin should wait for eventual refreshing before returning, i.e. certificate mover at WriteCertificate. - Enhanced performance for credential provider. 5.4.0.26: - Fixed support tracesplit/traceparse Linux/MacOSX - Only start dual installation on win64. Will allow single setup containing both win32 and win64. The installation will install win32 for win32 and both win32 and win64 for win64. - Fixed create/destroy SO pin objects for PKCS#11. - Fixed parallel execute of Watch commands. - Fixed background image for Watch. - Credential Provider may use Minidriver instead of CSP. Will be able to load bitmap based on certificate, but no unlock or pin attempts functionality. - Fixed PKCS#11 token flag for pin status with any pin reference, to solve problem with pin status for 2 CIA card. - Fixed minidriver problem with card only supporting T=1. - Fixed create private key for SetCOS 4.4. - Updated card handler locking. No lock required for asking card status without force update. - Added configuration parameter Install>ProductType. Will be appended to product name, i.e. "Net iD OEM"/"Net iD Enterprise". - Fixed problem with two readers with inserted cards on win64. - Fixed check card expire problem (new 5.4). - Fixed Build name with åäöÅÄÖ. - Fixed ResetToken/InitToken for RPS card. - Fixed ResetToken for local portal. - Fixed CSP release context without card access. - Fixed PKCS#11 close session without card access. - Changed behavior for displaying running type on Windows. Will now never show 64-bit Edition, but will always append 32-bit Edition for all dialogs when running on 64-bit machine. - Added file state check for MyEID signature operation. Will require card operational state. - Updated Tokend for MacOSX. - Updated MacOSX/Linux installation to remove configuration sections specific for Windows. - Updated local portal for Safari. - Updated Credential Provider filter, will not block standard smart card provider unless supported usage scenario. - Fixed Credential Provider issues with pin attempts left - Fixed Credential Provider issues with unknown cards. - Updated configuration parameter names for Credential Provider. - Fixed pkcs#11 visibility issue for PIN2 object created with PIN1. Now will object handles be valid for both PIN1 and PIN2 slots, but will only be returned for object search on correct slot. - Added possibility to configure [Smart Card Reader] > Denied. A list of reader names which are not acceptable. - Added support for Credential Provider: presenting PIN attempts left, unblock PIN with PUK and possible to configure presentation for all text fields. - Updated PIN dialog behavior for Plugin/CSP. Generating/importing key pairs or writing certificates for PIN2 will always show both PIN1 and PIN2 dialog (if needed). Both PINs are usually required for updating PIN2 objects. Will not affect when PIN are supplied to CSP/Plugin by caller. - Updated ChangePIN behavior. Will not be able to abort pin change when change required. - Update NetControl. Will show application window name instead of application process name for close question dialog. - Added initial Credential Provider support. Possible to configure different Tile images depending on subject and/or issuer from the certificate. - Added initial Apple Tokend support. - Added support for environment variables for installation directory. - Added possibility to configure CSP friendly name. - Fixed environment variables for Watch command. - Fixed check of key id when adding keys for PKCS#15 profile. - Added package section to configuration for installation of custom packages. - Added fingerprint for plugin EnumProperty CertificateEx. - Added possiblity to configure default certificate for CSP. - Fixed CSP release context without card access. - Fixed PKCS#11 close session without card access. - Fixed problem with dynamic create/destroy for PKCS#15 profile. - Fixed problem with environment variables for GINA. - Added configuration for enable card cache for Minidriver, default false (disabled). - Fixed CertMover problem when looking for current user. - Fixed Net iD Watch for combining 'match', 'message' and 'term' parameters. - Fixed problem searching for first DF when adding new entries for profile PKCS#15. - Fixed NetControl for Firefox with SSO. - Fixed CSP friendly name for certificate. - Fixed initial access problem for reading PIN2 certificates written with PIN1. - Added support for dynamic create/destroy for PKCS#15 profile. For cards without EF(UnusedSpace). - Updated default key usage behavior when generating new key pairs with plugin: PIN1 all (same) and PIN2 non-repudiation (changed). 5.3.0.28 - Net iD Watch may handle insert/remove events for unknown cards. - Net iD Watch may use environment variables for most commands. - Net iD taskbar can handle more custom links - Net iD plugin have full support for non-ascii characters, independed of strange web browser behavior. - Added workaround to handle Microsoft VPN client - New local admin portal for Windows/Linux/MacOSX - Added Net iD Wrapper GINA - Added NetControl close for Firefox 3, Internet Explorer 8 - Added card token label to dynamic strings. May change default names to more user friendly names, i.e. "Instant IP2" > "Tjänstekort". - Added special license agreement for Under Development/Release Candidate - Added license may be issued for specific CA certificates. - Added support for RFID read/write - Added new advanced dialog for certificate selection on Windows - Added support for more extensions for PKCS#10 certificate request - Added soft token support for Safari on MacOSX - Added Apple keychain as new soft token format - Added PIN expire policy - Added PIN history policy 5.2.2.32 - Fixed problem with update counter for SSO2 - Fixed verify pin for PKCS#15 cards with no directory in AODF - Fixed problem with SSO2 and win2003 - Fixed problem with pin case sensitive and utf8 encoded - Fixed write of BID certificates for BEID cards - Fixed UPINO write for BEID card - Added sorting for certificate objects: newest returned first - Fixed write certificate with plugin when wrong slot specified - Fixed enable/disable of multiple network devices - Fixed problem for Microsoft wireless access with soft tokens 5.2.0.26 - File operation Encrypt/Sign will only show valid certificates - Fixed problem with expired certificate for CSP - Fixed problem with validate for non-installed components - Fixed problem with Watch and lock workstation - Added Watch config set command (config/registry) - Added Connector fast match command - Fixed problem with key generation on card - Added plugin invoke ValidateInstallation. Will verify installation is not modified, i.e. components removed/added/updated or configuration updated - Added validate functiontionality for -loadconfig. Will add checksum for all components when called - Added Watch for linux - Fixed problem with key generation on card - Fixed problem with InitToken - Fixed MIME encoding for AdmUtil - Fixed AES encoding for PKCS#7 (compatible Vista) - Fixed SSO service install win64 - Fixed protected mode for update soft tokens - Fixed problem with Watch and lock workstation (card removed and generated lock event before logged in). - Changed behavior on Windows platform. For rsa key generation will pkcs11 library first try to use CryptoAPI, second OpenSSL and third internal. - Apply configuration for Transport will move local soft tokens to global - Added all cards for minidriver - Added OAEP support for CSP - Increased load perfomance for plugin - Changed to global only configuration for NetControl - Updated NetControl to handle minidriver - Updated Transport - Fixed VPN problem with soft tokens - Increased speed performace CSP - Added some SSO support for minidriver - Updated soft tokens to enable default password. - Updated Transport to both decrypt and verify files (DecryptData/VerifyData). - Added SSO as service - Updated Crypt to handle removable devices - Updated Crypt to handle any drive - Updated traceparse (relative path) - Updated traceparse (calculate execution time) - Updated traceparse (handle incomplete file) - Added config entry CallTrace for CSP/PKCS11. A new trace functionality, will only trace function entry and result, so less impact on speed performance. - Added Microsoft standard Save/Open dialogs for plugin - Added generic Run command for plugin - Added new component Transport 5.1.2.16 - Updated RegUtil to handle Template/SubjectAltName extensions - Fixed disable duplicate for CSP 5.1.0.16 - Updated RegUtil to handle Template/SubjectAltName extensions - Added close of specific window classes for Watch - Changed behavoir for Net iD Connector, will now accept certificates without smart card logon extended key usage. - Added support for start of SSO server - Moved all SSO config parameters to new section (SingleSignOn). - Added support for username/password SSO with credentials stored on card. - Added support for local pages for Net iD Web - Added support for custom shortcuts during install - Changed CSP behavior. CSPDestroyKey and CPDetroyHash will always return success, to handle applications not prepared for smart cards. - Updated GINA netcard functionality - Added post data functionality for core library - Fixed update of slot list for AdmUtil at Refresh (F5) - Fixed matching of key pair for generating new key pairs on smart cards - Fixed problem with SSO and soft tokens - Changed behavior for Pkcs11 already logged in. Will only return already logged in case correct PIN given. - Added AdmUtil change PIN for soft tokens (right click in list). - New version of Net iD Crypt, Net iD Watch - Added post data functionality for core library 5.0.0.31 - Added configuration parameter to disable setting of friendly name when register certificate for CryptoAPI - Added duplicate certificate handling in Pkcs11/CSP - Added certificate request attribute for plugin - Added publisher to uninstall info - Trace registry virtualization limited to 10 keys/entries - For duplicate certificates (same issuer/subject) will our select certificate dialog only show newest. - The newest certificate will be default for our select certificate dialog - Soft tokens will get a unique number - Moved some functionality from main library to CSP, to allow CSP to work without loading main library. - Removed admin access warning for Vista when running as administrator - Changed configuration extension: ini => cfg - Added support for SHA-256 for pkcs11/CSP/minidriver (CSP/minidriver require Vista or later) - 64-bit port GINA/SSO/Crypt - Added support for AES-128/192/256 for CSP/PKCS11 - Added support for RSA OAEP for CSP/PKCS11 (AES key wrapping) - Upgrade will copy new config and merge old config entries - Added support for CryptoAPI keypair generation for PKCS11 - Added support for OpenSSL keypair generation for PKCS11 - Added support for CryptoAPI random seed for PKCS11 - Added support for OpenSSL random seed for PKCS11 - Fixed start iidxadm.exe from Taskbar, when installed Program files folder - Fixed support for SSO with soft tokens - Added configuration parameter Install>Special - Fixed SSO encrypt/decrypt with data >1MB - Fixed SSO sign/verify with data >1MB - Added config parameter Smart Card Reader>KeepLoggedInLocked=0/1. When enabled will the behavior be the same as pin pad => no pin cache at all. - Added pin pad entry with feedback - Changed password charcter from "star" to "ball" for WinXP or later - GINA extra window for ctrl-alt-del - SSO may be disabled for applications - Added Net iD Web - iidxweb.exe - Trace print to always include all seconds - Added new config parameter: CSP > KeepSessionAlive=0/1 - Moved global configuration file to install directory - Added config parameter Pkcs11 > ReportWrite - Auto lock of PIN for unlock on Setec SetCOS - Default values always set in config file - Changed behavior, SSO will not auto logout at refresh/finalize - Release library for default certificate when unloading - Updated auto cleanup for CSP/PKCS11 - Trace print to always include all seconds - Added new config parameter: CSP > KeepSessionAlive=0/1 Known Issues ---------------------------------------------------------------------------------------- - Windows 10: There is still some issues regarding the interaction with Windows 10 Credential Provider. It is however unclear if the problems are related to Windows 10 or Net iD Enterprise and therefore we will wait for upcoming patches from Microsoft before any deeper investigations of the problems are done. Examples: -- CredentialProvider -> InitChangePin fails in mstsc for Windows 10. -- Report unlock does not work in Windows 10 since it asks for LOGON credentials instead of doing an UNLOCK. - Windows Install: "iidsetup.exe -install -silent" shall not be used since uninstall fails, use only "iidsetup.exe /q". - Windows: The Credential Provider Pass-through cannot present correct info when mapping a network drive. - OS X: when enrolling a second soft token it replaces the first soft token in the keychain access application. Workaround: drag'n'drop the first token from /Users/'user'/Library/Keychains/ to the keychain access application. Known Limitations ---------------------------------------------------------------------------------------- - Support for Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 with Dual Interface the support for contactless communication is limitied to usage of the card. Personalization, i.e. key generation and import of new certificates, has to be done via the contact interface. - For Gemalto IDPrime Instant IP10 and Gemalto IDPrime SIS EID IP1 only 2048 bits key length are supported for RSA keys. The card have support for 1024 bits RSA keys but can't handle a mix of 1024 and 2048 bits keys. To avoid getting corrupt cards and since the common recommendation is not to use 1024 keys any longer, only RSA keys with 2048 bits will be supported for the cards. - Support for NPAPI plugins has been removed or will be removed from many of the popular web browsers. When the NPAPI support is removed from a web browser SecMaker will not be able to support the use of plugins for that web browser. The following are the status regarding NPAPI for some of the web browsers: - Google Chrome: the NPAPI support has been permanently removed since version 45. - Mozilla Firefox: it is still possible for the user to enable the NPAPI plugins via active manual actions in the the browser dialogs but the NPAPI support will be completely removed by the end of 2016 according to Mozilla. The 64-bit Firefox for Windows will not include support for NPAPI. - for Safari there is no news from Apple but since the trend is to remove the NPAPI support, for security reasons, it is probable that Apple will decide to remove the NPAPI support as well. - Microsoft dropped the ActiveX-plugin support with the release of Microsoft Edge. Microsoft Internet Explorer however still supports ActiveX-plugins. If you are dependent of the NPAPI for your applications please contact SecMaker. - Mozilla Firefox: Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Firefox on OS X for security reasons in v6.1. The old behaviour was comparable with the behaviour of a trojan which is not acceptable. A manual workaround to load the PKCS#11 library via nss-modutil is available from SecMaker. System Requirements ---------------------------------------------------------------------------------------- Operating Systems: Linux (32-bit and 64-bit versions): - Ubuntu 14.04 LTS - Ubuntu 15.10 Microsoft Windows (32-bit and 64-bit versions): - Windows Server 2012 R2 Standard Edition - Windows Server 2012 R2 Datacenter Edition - Windows Server 2008 R2 Standard Edition - Windows Server 2008 R2 Enterprise Edition - Windows 10 Home - Windows 10 Pro - Windows 10 Enterprise - Windows 10 Enterprise 2015 LTSB - Windows 10 Education - Windows 8.1 - Windows 8.1 Pro - Windows 8.1 Enterprise - Windows 8 - Windows 8 Pro - Windows 8 Enterprise - Windows 7 Home Basic - Windows 7 Professional - Windows 7 Enterprise - Windows 7 Ultimate OS X (32-bit and 64-bit versions): - OS X 10.10 - OS X 10.11 Web browsers: - Microsoft Edge (limited support) - Microsoft Internet Explorer 10 (only Desktop mode supported) - Microsoft Internet Explorer 11 (only Desktop mode supported) - Mozilla Firefox 38.2 ESR (tests only performed on releases supported by Mozilla)(see Known Limitations) - Mozilla Firefox 41 (tests only performed on releases supported by Mozilla)(see Known Limitations) - Google Chrome v45 (tests only performed on latest release supported by Google)(no plugin support, see Known Limitations) - Safari 8 for OS X - Safari 9 for OS X (Regarding NPAPI plugin support in web browsers, se Known Issues) Smart cards, Smart card Profiles and EID-applets Support ---------------------------------------------------------------------------------------- Smart cards: - Atos CardOS 5.0 [read/execute only] - Axalto Cryptoflex - BeID 3, 5 and 6 (Buypass EID cards) - EstEID v1.0, v3.0 and v3.5.2 (Estonian EID cards) [read/execute only] - Gemalto .NET Smart Cards - Gemalto GemXpresso - Gemalto IDPrime SIS cards - Gemalto PIV cards - IBM JCOP 21, 31, 41 - Net iD Live .NET - Oberthur Cosmo v7.0 IAS ECC - Setec SetCOS 3.4, 4.3, 4.4, 5.0 - Setec SetCosXpresso - Siemens CardOS 4.01, 4.20, 4.30 Profiles: - ISO 7816-15 - Microsoft Minidriver 4.0, 5.0, 6.0 - PKCS#15 - SS614330 (Swedish EID card standard) - Examples of verified PKCS#15/ISO7816.15 profiles: -- FINEID S4 -- FK EID IP5b -- Gemalto IDPrime Instant IP10 (2048 bits RSA keys supported, see Known Limitations) -- Gemalto IDPrime SIS EID IP1 (2048 bits RSA keys supported, see Known Limitations) -- Gemalto Instant EID IP8 -- Gemalto Instant EID IP9 (old and new chip) -- Gemalto Tjanstekort EID (old and new chip) -- Skatteverket IAS-ECC card -- Telia EID IP2 -- Telia EID IP5 (old and new chip) -- VRK (Finnish healthcare smart card) EID applets: - EVRY Multi EID - Gemalto GemSAFE (Classic); v1, v2 and v3 applets - Gemalto EID2048 applet - Gemalto IAS ECC applet [limited support] - Gemalto IDPrime MD v4.0 and v4.2 applets - HID ISO/7816-15 applet - HID ActivIdentity applet framework v1 applet - Oberthur IAS-ECC 1.0.1; v1.2, v1.3 and v2.0 applets - Taglio Applet v1.60 Smart card readers ---------------------------------------------------------------------------------------- - Support for card readers as per PC/SC standard Standards ---------------------------------------------------------------------------------------- -MS Cryptographic Service Provider (CSP) for MS CryptoAPI -Standard PKCS#11, PKCS#12, PKCS#15 -Standard ISO7816-15 -Standardized digital signatures – PKCS#7 -Standard client identification as per SSL/TLS -European Citizen cards, IAS ECC v1.0.1 specifications Upgrade from earlier Net iD Enterprise versions ---------------------------------------------------------------------------------------- Supported versions to upgrade from: -Net iD version 6.3.x.x -Net iD version 6.1.x.x Other Resources and Links ---------------------------------------------------------------------------------------- Visit www.secmaker.com for more information. Feedback ---------------------------------------------------------------------------------------- Please forward your comments and problem reports to the following e-mail addresses. Problem discovered should be reported by sending an e-mail to netid@secmaker.com You can also give us feedback by sending an e-mail to feedback@secmaker.com SecMaker AB Hesselmans Torg 5 SE-131 54 Nacka, Stockholm SWEDEN +46 8 601 23 00