==================================================== Net iD Enterprise, version 6.1.0 - Release Notes ==================================================== New features (for more detailed release information see further down) ---------------------------------------------------------------------------------------- 6.1.0 (Released 2013-11-18) - Security updates. - Support for Microsoft Windows 8.1 and Internet Explorer 11, see Known Limitations. - Support for OS X 10.9 (Mavericks), see Known Issues. - Enhanced LRA support (Local RA). - New CSP signature procedure from Microsoft, see Known Issues regarding Windows XP and Windows Server 2003. - Added support for info label names that have too many characters to be supported by PKCS#11. - Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Mozilla Firefox on OS X for security reasons, see Known Limitations. 6.0.3 (Released 2013-09-16) - Security updates. - Added support for Entrust container format using TaskbarAccessMode with PKCS11. - Increased NetControl timeout before terminate (10 seconds) and added trace entry when process is terminated. 6.0.2 (Released 2013-07-10) - Added support for expand of certificate variables to report logon. - Fixed issue with possibility to krasch the plugin - Removed plugin command Invoke("Run"). 6.0.1 (Released 2013-06-13) - Updated plugin parameters, may configure to limit access or block access for some/all servers and applications. Will solve integrity issue with possibility for untrusted web sites to read certificate information via plugin without notification to user. 6.0.0 (Released 2013-04-30) - New User and installation GUIs (old GUI still available if wanted). - Support to move global configuration file to Registry and to configure via GPO . - Support for all SHA-2 algorithms (SHA-224/256/384/512). - Support for Microsoft Windows 8. - Support for Microsoft Windows Server 2012. - Support for Google Chrome v26.0 (earlier only support for soft tokens) - Support for additional smart cards: -- EVRY Multi EID -- Net iD Live .NET -- PIV cards (read only support) -- Skatteverkets ID-kort v2 (Swedish Tax Authorities IAS-ECC card with Citizen IDs) -- Taglio card -- VRK (Finnish Healtcare smart card) -- Customer specific card 5.7.1 (Released 2013-05-31) Customer specific release 5.7.0 (Released 2013-03-20) Customer specific release 5.6.3 (Released 2012-08-13) - Fixed problem with SSO service shutting down at smart card reader connection failure. 5.6.2 (Released 2012-03-15) - Added support for soft certificates with Google Chrome version 16.0, current version supported by Google during release tests. The support is valid for Microsoft OS and Mac OS X. - Support for Mozilla Firefox 11.0, current version supported by Mozilla during release tests. - Support for changed behaviour in Safari 5.1 regarding Tokend. 5.6.1 (Released 2011-11-10) - Added trace menu for task bar popup menu. - CSP default certificate will be returned as first container for enum containers. - Added support Oberthur special data object for Oberthur minidriver. - Support for Mozilla Firefox 8.0, current version supported by Mozilla during release tests. - Support for TrueCrypt 7.1. 5.6.0 (Released 2011-09-05) - Support for additional smart cards: -- Oberthur Cosmo v7.0 IAS ECC -- HID ActiveCard v1 -- Gemalto IAS ECC (limited support) - Verified smart card profiles: -- Gemalto Instant EID IP9 -- Gemalto Tjanstekort EID -- FK EID IP5b - Additional functionality for Credential Provider, for example PIN Provider and Enrollment Provider. - Additional functionality for Command line tool. - MiniDriver v5/v6 certification tests successfully completed with .NET smart card - All old Net iD Enterprise licenses has been blocked (licenses starting with 'W'). All new standard licenses will start with 'N' and all new demo licenses will start with 'D'. - Added support for Citrix new logon/logoff component. - Support for Mozilla Firefox 6.0, current version supported by Mozilla during release tests. 5.5.1 (Released 2011-04-15) - Support for Microsoft Internet Explorer 9 - Support for Mozilla Firefox v4.0 - Support for Net iD Card Portal v4.0. - Added C_UnblockPIN for PKCS#11 library. 5.5.0 (Released 2011-02-07) - Support for Gemalto .Net Smart Cards and Microsoft Minidrivers version 4 to 7. - Added Certificate Provider for customized certificate selection dialog. - Added command line tool for change/unlock pin. - Updated support for reading/writing iClassID cards. - Added reading of Mifare and iclassID for Watch/Connector. - Added support for dual uninstallation (32bit/64bit). Using dual installation package to uninstall will uninstall both packages. - Added language support for Credential/Certificate Provider. - Updated SSO push logon information. - Support for Safari 5 on Mac OS X 10.6. 5.4.1 (Released 2010-10-05) -Enhanced Tokend support for MacOSX regarding AD login -Enhanced Credential Provider with features like unblockPIN, card attempts left -Updated Net iD Local Webadministration 5.4.0 (Released 2010-07-01) -New feature: WLD (Workstation Lock Down smart card shell) -New feature: Credential Provider -Added possiblity to configure default certificate for CSP -Tokend support for MacOSX to handle smart card logon -Web based Net iD Administration -New feature: MiFare -Updated Watch 5.3 (Released 2010-02-08) -Support for Microsoft VPN client (Windows 7) -Support for RFID read/write -New local administration portal for Windows/Linux/MacOSX -NetControl close for Firefox 3, Internet Explorer 8 -Added card token label to dynamic strings. May change default names to more user friendly names, i.e. "Instant IP2" > "Employee card". -New advanced dialog for certificate selection on Windows -Soft token support for Safari on MacOSX -Added Apple keychain as new soft token format -Added PIN expire policy -Added PIN history policy -New component - Net iD Wrapper GINA 5.2 (Released 2009-09-01) -Windows 7 support -Windows Server 2008 R2 support -New version of Net iD Transport supporting file based certificates stored on smart cards -New version of Net iD Connector supporting several thin client models -New version of Net iD Watch with a number of new features -New version of Net iD Minidriver supporting additional smart card models -Performance optimization and several other improvements, e.g. new encryption standards 5.1 (Released 2009-03-02) -Updated performance when using smart card logon 5.0 (Released 2008-12-16) -Default package will install all Net iD system files in %programfiles%\Net iD -Changed configuration extension: ini => cfg 4.9 -Net iD Crypt support for Windows Vista -Updated performance in Net iD. Enable faster logon with native and Java cards -Universal build for Mac OS X (PPC and Intel) 4.8 -Added support for 64-bit operating system (Linux, Mac OS X, Windows) -Added support for Windows Server 2008 4.7 -Added support for Mac OS X 10.5 -Added support for Ubuntu 7.10 4.6 -Changed copyright to SecMaker AB -New smart card support -Full Windows Vista support 4.5 -Added support for Setec SetCosXpresso -Siemens CardOS initialize support 4.4 -Updated for Windows Vista -Updated for Microsoft Windows Mobile 5/Windows CE 5.0 4.3 -Added following languages: Turkish -License information for all languages 4.2 -New language support -Error message when using smart card logon -Added support for new versions of Windows, Linux and Mac OS X 4.1 -Updated Eventlog component -Changed enumerate container behavior for CSP to avoid Internet Explorer bug -Updated config file -Changed "Svenska (SAMSET)" button names for sign/authenticate on Mac OS X and Windows -Update support for Netscape/Mozilla/FireFox -Updated Net iD plugin for webbadministration (import/export tokens) -Added new functionality for Signer plugin -Updated support in RDP Release Information ---------------------------------------------------------------------------------------- 6.1.0.12: - Support for Microsoft Windows 8.1 and Internet Explorer 11, see Known Limitations. - Support for OS X 10.9 (Mavericks), see Known Issues. - Removed Plugin parameter SetProperty("Trace") for security reasons. - Added access control for all plugin functions/variables. - Added sanity check for Plugin parameter GetProperty("TokenData"), will require soft token to be stored at default location with default file extension. - Added DevStudio linker options ASLR and DEP. - Added converting of PKCS#11 token info labels via dynamic strings. - Separated LRA Enroll/Renew config: EnrollParameters/EnrollRequestURL/EnrollResponseURL, RenewParameters/RenewRequestURL/RenewResponseURL. - Moved CredProv LRA parameters to LRA section. - New CSP signature procedure, see Known Issues regarding Windows XP and Windows Server 2003. - Updated Taskbar "Custom Links", will only read form global configuration. - Updated CSP signature to be done without Microsoft involvment, according to new Microsoft processes. - Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Mozilla Firefox on OS X for security reasons, see Known Limitations. - Fixed converting of PKCS#11 token info labels via dynamic strings. - Fixed generation of PIN2 key which requires PIN1 from SSO cache. - Fixed open of LRA menu for CertMover. 6.0.3.52: - Added support for Entrust container format using TaskbarAccessMode with PKCS11. - Increased NetControl timeout before terminate (10 seconds) and added trace entry when process is terminated. - Fixed problem with Entrust container name for non-repudiation certificates. - Fixed new GUI blocked by new security requirements for plugin. - Fixed trace server Windows logoff problem. - Fixed CSP auto-release problem. - Fixed abort for PIN dialog in new process. - Fixed start of GUI via INTERNAL event. 6.0.2.49: - Added support for expand of certificate variables to report logon. - Added support for new plugin folder for Firefox browser (Windows). - Fixed supervisor kill of smart card polling thread during shutdown. - Fixed exit windows for GINA locked screen. - Fixed plugin krasch, and Removed plugin command Invoke("Run"). - Fixed SSO problem with CSP. - Fixed write of pin update counter for .NET card. 6.0.1.47: - Updated plugin AllowedServer parameter, may configure to limit access or block access for some/all servers. - Added parameter Plugin>Allowed to specify a list of applications that may use the plugin. Specify with access mode: "iid.exe,1;good.exe,2;bad.exe,0". Same mode values as AllowedServers, but limited (=3) not available. - Changed to No as default button for confirm dialog on Windows (same as Linux/MacOSX). - Updated behavior, CertMover pause will also block plugin access. - Updated behavior, disable CSP will also affect MD for CertMover. - Updated behavior, FriendlyName=0 will set empty friendly name. - Updated card support Gemalto IDPrime MD applet. - Fixed license check based on certificate present, i.e. SITHS. - Fixed empty friendly name for CertMover, will use certificate label. - Fixed dynamic strings for Linux/OS X. - Fixed AdmUtil crash when using UNC path for user profile. - Fixed Registry naming issue when adding smart cards for Minidriver. - Fixed problem with loading of cmapfile for Minidriver after PIN change via Microsoft utilities. - Fixed problem when CertMover reset SSO cache for all users in TS session. - Fixed access blocked mode (=0) for parameter Plugin>Allowed 6.0.0.41: - Added possibilty to add extra startup componets for Windows Run. - Added possiblity to use Secure Desktop for PIN dialog on Windows. - Updated behavior, will always use Secure Desktop for Exit Windows dialog. - Setup packages may be installed in installation folder. For example to include uninstall registry file. - Installation of registry files will always be executed as last action during setup. Files named 'iidxi*.reg' will be executed during install. Files named 'iidxu*.reg' will be executed during uninstall. - Added auto sorting of configuration file sections at merge. - Added support for certificate provider in Win8. - Fixed CredProv for Windows 8. - Added support for all SHA-2 algorithms (SHA-224/256/384/512), SHA-256 was available earlier. - Added Initial support Mifare logon for Credential Provider. - Added pin pad support for plugin. - Added card update check before any update. At card update will card be reloaded before create objects and all destroy/update of objects are stopped. - Added support for key generation on Evry/CryptoTech JCOP smart card. - Added initialize token for ActivCard. or updates. - Added PIV smart card support. Key and certificate management will require admin key and special key id handling. Card will also require special data objects for conformance, standard card management will not work. - Added Taglio smart card support. - Added support PSO-Digital Signature for Oberthur IAS-ECC. - Fixed install script for linux/macos. - Added automatic installation of Netscape plugin for Chrome browser for Windows. - Fixed report database time format (UTC). - Added parameter Plugin>Disable. A list of applications that will not be able to create plugin ActiveX object, default empty. - Added "script" action for Watch insert/remove event. Same action as "open", but will run hidden. - Added parameter General>CheckEnroll to enable certificate enrollment when any certificate is missing (or card empty). Value format: ",,". - Added parameter Custom Action>WarningCertificateEnroll with same behavior as renewal and expire action, but used for enrollment check above. - Added Trace>UseLocalTime=0/1 (default 0) parameter to enable use of local system time in trace for trace server instead of time since trace server started. - Added parameter MiniDriver>UseCritical=2 for same functionality as CSP for better trace parsing. Only one thread at time may access MiniDriver. - Added variable %scenario% for custom Credential Provider presentation info. - Added dynamic loading correct icon size for Credential Provider when using icon as image: 48x48px for small (CREDUI), 256x256 for big (all other). - Added plugin property 'Compact' flag to use Name instead of OID for in subject/issuer field for enum property 'CertificateEx' and 'Certificate'. - Changed new GUI dialog behavior. Earlier all dialogs was system modal, not any more. Use parameter '-system' for dialogs that should be system modal. - Web application aka iidxweb.exe now uses same source code as Web dialog, so all functionality added by Web dialog is also available for Web application. - Added variable %expire% for custom certificate presentation info. - Added parameter Enable for all Credential Providers. Earlier was enable/disable based on configuration available/missing. Will allow setting of configuration and still be inactive. - Added "-application" as extra parameter for dialog, will never start new process. - Added "-timeout" as extra parameter for dialog, will use supplied value instead of timeout value for all dialogs (Dialog>Timeout). - Changed default value for Dialog>Timeout to 600 (10 minutes). - Added certificate expired/renewal for main application, will enable custom action for plugin. - Added CredentialProvider>BlockGUID for each provider type to add a list of providers that should be blocked beside the wrapped one. - Added Links Action>CertificateExpired/CertificateRenew as custom action. - Update Dialog>SecureDesktop parameter to include darken percent for background screen. Will be stored in second byte: 0x??01. Accepted values are 0-100 or 255, so 0x0001 to 0x6401 or 0xFF01, value 0 will specify default (0x43 => 67%). 255 will disable background image (as Windows 8). - Credential provider may wrap any provider instead of default Microsoft provider via configuration WrappedGuid for each provider type. - Added parameter for default PUK reference for pkcs#15 smart cards. - Added parameter SmartCardReader>SingleConnection=2 to open single global connection towards PC/SC, used for testing bad smart card reader drivers. - Added init token support in command utility for soft tokens, will remove the soft token content. Usable for testing on Mac OS X. - Added parameter Administration>View to hide/show elements in new Admin Utility. - Added parameter Dialog>BrowserVersion to specify minimum supported browser version for new GUI, default 8. - Added pin type and pin policy for token info object returned by plugin. - Added property 'ProtectedMode' for plugin, will return true/false dependning on protected mode status. - Added invoke 'ResetUser' command for plugin, will delete and recreate Net iD user application data folder and also reset trace file. Eventual virtualized (sandbox) folder will also be removed. Note, all Net iD user data will be lost and this operation will require not running in protected mode (sandbox). - Added invoke 'ActivateTrace' and 'DisableTrace' command for plugin, will activate or disable user trace. Note, will handle server trace when available. - Added client certificate support for internal http/ftp client. - Added parameter SoftToken>Events=0/1/2 to be able to detect soft token removal - Added sort configuration command for sorting of configuration sections and remove of unused sections for different platforms. - Added connected configuration for static configuration. For example a static configuration may be overwritten by configuration in Registry (GPO). - Added support for AllowedServers check for Firefox and Safari (Netscape plugin), earlier only Internet Explorer (ActiveX). - Added possibility to move global configuration file to Registry. - Added support read/write with both A/B keys for Mifare. - Added parameter Pkcs11>SeparateThreadSearch=0/1, to allow same session handle to be used for search in different threads simultaneously. - Added parameter SmartCard>AutoUpdateKeyId=0/1, to allow configure of auto update of connected objects when one is updated. Earlier behavior was always auto update, new default behavior is never auto update. - Added support for username/password stored on smart card for Credential Provider [OME-314473]. - Added new trace feature, may use SSO2 server as trace server. All traces will be sent to SSO2 server and written with synchronized time, will also avoid problemd with two processes trying to write in the same time. Use "server" as name instead of full path to a file. Use Trace>Server to specify location of trace file. - Added new CertMover. Will access CSPs to get certificates instead of reading from PKCS11. Will add three mods for detecting token insert/remove events: poll, pcsc or pkcs11. Mode poll will check each CSP once a minute for certificate removal/insertion. Mode pcsc will check PC/SC for reader/card insert/remove. Mode pkcs11 will use old behavior accessing PKCS11. - Added new CertMover behavior. May be used as mover for any CSP: CSP>ExtraList. - Added new CertMover taskbar menu options: Certificate list (0x0200). - Added support for loading .ico files as Credential Provider bitmaps (size 256x256). - Added argument -clearcache for MiniDriver to clear Microsoft smart card cache. - Added support for CSP provider parameter PP_SMARTCARD_READER. - Added certificate variables for all Watch commands. - Changed behavior for pkcs#11 C_WaitForSlotEvent, will also generate events for smart card reader insert/remove, earlier smart card insert/remove and smart card updates. - Removed parameter MiniDriver>DisableFileCache, since it would have affected new CertMover. - Updated plugin to handle new Admin Utiltiy features on Mac OS X. 'Only open externally certificate viewer' not supported, since there is not externally certificate viewer available. - Updated AdmUtil and CertMover to enable/disable "server" trace when available, instead of only local trace. - Updated support for CSP provider parameter PP_SMARTCARD_GUID, will return same information as MS Base SmartCard CSP with our Minidriver. 5.7.1.14: - Fixed dynamic strings for Linux/MacOSX. - Updated plugin AllowedServer parameter, may configure to limit access or block access for some/all servers. 5.7.0.12: - Added support PSO-Digital Signature for Oberthur IAS-ECC. - Support for additional smart card: Skatteverkets ID-kort v2 (Swedish Tax Authorities updated ID card with Citizen IDs) 5.6.3.64: - Fixed problem with SSO service shutting down at smart card reader connection failure. 5.6.2.62: - Updated install PKCS#11 for Firefox. - Fixed pin unblock for ActivId card. - Fixed problem with ReloadOnError parameter. - Fixed NetControl search browser window problem, when application using browser control is running. - Fixed search for matching key pairs for PKCS#11 when no new key pairs available, will first search with all attributes and second search after modifibale attribute removed. - Fixed milliseconds for trace on Linux/MacOSX. - Added parameter -clear to -movecertificates argument, to remove all CSP certificates from CryptoAPI store before move. - Added automatic installation of Netscape plugin for all-user Chrome browser for Windows. - Changed refresh behavior, will not reload PC/SC connection any longer. - Fixed problem with CSP support for Nexus Personal Entrust container format. - Added automatic installation of Netscape plugin for single-user Chrome browser for Windows. - Added support for search by object in Tokend, beside search for object record. This is needed to support Safari 5.1. - Added parameter [Admin Utility]>UseService=-1 to disable installation of CertMover as background process (=0) or Service (=1). - Fixed problem with Citrix SSO component using cards with multiple certificates. - Fixed container mapping for CSP when multiple card readers used. - Fixed long pin (more than 8 bytes) with ActivId cards. - Fixed pin policy only digits. - Fixed ignore logoff command while disconnected for GINA. - Fixed connect after disconnect for GINA. - Fixed CA certificate install for CertMover, will only display single dialog even at failure. - Increased trace maximum size before clear to 100MB, check each hour. - Added parameter Smart Card>ObjectSortMode=0/1/2 (0=none/1=day/2=second) for sorting of objects stored on a smart card. Will affect default certificate behavior. - Fixed issue with old ActivId cards. - Fixed support T=1 protocol for ActiveId card profile. - Fixed event list order issue. 5.6.1.53: - Fixed problem with PIN2 cache for card profile "Tjanstekort EID". - Fixed close of polling thread. - Support for TrueCrypt 7.1. - Fixed plugin reinitialize problem for Max OS X 10.5. - Fixed Net iD application loading problem for Mac OS X 10.5. - Fixed loading of extened pkcs#11 functions when plugin is loaded after pkcs#11 for Firefox on Mac OS X/Linux. - Fixed behavior for MiniDriver. Will reload smart card when receive unknown vendor specific value from Microsoft Base CSP. - Fixed support of internal read/write Mifare, will not require external library. - Fixed certificate enroll for card profile "Tjanstekort EID". - May start several instances of iidxweb.exe. - Fixed problem with adding objects to public box. - Added trace menu for task bar popup menu. - Fixed taskbar menu icon for about entry when running Win7 classic theme. - CSP default certificate will be returned as first container for enum containers. - CSP will not enumerate two containers with same certificates for default containers any longer. - Fixed support DetectNewSlot=1 for SSO. - Exit Windows dialogue aborted when Windows already is locked. - Fixed logoff background for GINA. - Fixed abort close for ESC button for Watch exit windows dialog. - Fixed argument for extended call for executable. - Fixed add entry to EF(UnusedSPace) for private keys stored as a file object. - Added support Oberthur special data object for Oberthur minidriver. - Fixed GINA problem. 5.6.0.44: - Fixed support NT4 credential name GINA logoff at unlock. - Fixed card expire warning for multiple CA. - Added parameters Smart Card>Temporary and Smart Card>TemporaryValidity to identify temporary cards. Those cards will have special handling for enroll provider. - Updated CSP write certificate to handle write PIN2 certificates for Gemalto Classic Applet. Will not map writing to PIN1, as all other multiple PIN cards. - Fixed delete of read-only certificates for PKCS15 profile. - Fixed automatic create of update counter at login for PKCS15 profile. - Fixed CertMover refresh after manual remove of certificates. - Fixed plugin write of bigger internal private/public data, limit 256 bytes earlier 64 bytes. - Fixed PIN2 certificate mapping. - Fixed WLan soft token support for Windows 7 64-bit. - Fixed sorting of certificates (valid from) from only day to both day and time. - Added list keys for Command Utility. - Fixed problem with Minidriver register of multiple certificates for CryptoAPI. - Minidriver will register certificates in CryptoAPI depending in configuration parameter MiniDriver>MoveCertificates=0/1. - Credential/PIN Provider>Autologon may be disabled for a list of applications, default "lsass.exe;logonui.exe". - Fixed performance for Minidriver. - Fixed support Citrix new logon/logoff component. - Fixed removal of certificate for external CSP. - Parameter CSP>ReplaceCertificate may also be used to replace PIN2 certificates. - Old certificate will be removed when writing certificate using key id as container name for CSP. - Fixed license block based on License>Issuers. Only certificates with specified issuer available in list will be shown and usable. - Fixed problem with update of EF(UnusedSpace) for PKCS#15 profile. - Fixed Minidriver support for Buypass card. - Enhanced performance for reading Buypass cards. Will not read public keys when certificate is available in pocket. Will update file size to correct modulus size when reading public key from private key file. - Enhanced performance for .Net smart card. - Fixed running logoff script for GINA. - Removed plugin default message, since Internet Explorer will no accept zero size plugin. - Credential Provider will clear PIN entry field at failure. - Increased performance for GINA. - Added PIN unlock with challenge/response for Credential/PIN provider. Require card support (currently implemented for .NET smart card). - Added delete of subtree for Registry delete command utility. - Added Enroll Provider, to enroll certificates before logon for use with LRA component. - Updated IAS ECC for Gemalto, may generate key pair and write private and public objects for ECC Generic PKI application. May not delete key pairs and may not update ECC eID application. - Updated plugin behavior. Login will logout when enter bad pin for already logged on. - Added C_SignUpdate/C_SignFinal/C_VerifyUpdate/C_VerifyFinal for PKCS#11 library. - All old licenses blocked, starting with 'W'. All new standard license will start with 'N' and all new demo licenses will start with 'D'. - Added possibility to load static global configuration to each component. - Added possibility to load static license information to binary. - Fixed support OAEP padding Gemalto Classic v3.11. - Added %keyusage% as image selection parameter for Credential/Certificate provider. - Added Watch will act only on smart card used during logon. - Added support for RSA "raw" for SetCOS 4.4 (IP2/IP5/IP8). - Added PIN Provider for customized Microsoft PIN dialog in same way as Credential Provider. Enabled when "PIN Provider" section is available in configuration. - Added Autologon=0/1 for both PIN and Credential Provider. Will use stored PIN from SSO2 when available. - Changed default label for certificate to default friendly name. Will be used by PKCS#11 when label missing on card. - Added list certificate for Command Utility. - Initial support ActivIdentity v1 card. - Fixed allow single language for installation. - MiniDriver v5/v6 certify test successful with .NET smart card. - Updated support for Oberthur IAS ECC, for example: -- set access condition when creating files for wireless access and import 2048 bit keys. -- Fixed interopability with Oberthur minidriver for Oberthur IAS ECC card, will use same update counter. -- Added support to change SO key for Oberthur IAS ECC. - Added Mozilla Thunderbird to list of applications for auto install of our PKCS#11 library. - Added static zlib compress library for PKCS#11 library (win32/win64). - Updated support Oberthur IAS ECC. - Fixed SHA-256 certificate enroll with MiniDriver. - Successful run of Entrust Entelligence CSP Test Utility with .Net smart card. 5.5.1.29: - Fixed problem with update of PKCS#15 data objects. - Fixed problem with show bitmap for Credential Provider in certificate select dialog. - Fixed problem with minidriver when loaded after plugin. - Added C_UnblockPIN for PKCS#11 library. - Fixed problem reading PIN protected PrKDF for RPS card. - Fixed problem with long reader names for minidriver. - Fixed problem with certificate enroll for minidriver. - Fixed DER encode integer problem when negative number. - Fixed plugin Logout for SO user. - Fixed plugin Reset for SO user. - Fixed plugin InitToken, section DELETE>erase=1 always available. 5.5.0.27: - Disabled duplicate context for CSP. - Added Gemalto default test key for secure messaging. - Fixed read file problem GemSAFE v1/v2. - Fixed get pin attempts left for RPS card. - Fixed read ISO7816-15 PrKDF with private access. - Fixed .Net smart card signature pin enrollment for second key. - Added MiniDriver parameter DisablePinCache=0/1 and DisableFileCache=0/1 to avoid Microsoft caching problem. Both have default value 0 (cache active). - Updated SSO push logon information. - Fixed support CRYPT_NOHASHOID for CryptVerifySignature in CSP. - Fixed custom card name for CSP/MiniDriver. Add entry NamePrefix for respective component. - Fixed problem with secondary certificates for MiniDriver. - Fixed problem with secondary PIN for MiniDriver. - Fixed problem with enroll via MMC, will not delete "default" keys. - Fixed problem for minidriver with too long key id. - Fixed PIN pad problem with BCD coding (Nordea VISA card). - Added language support for Credential/Certificate Provider. Prefix title, subtitle, textabove or textbelow with language short name to get different strings depending on langauage. - Updated handling of multiple PINs for PKCS#15 profile. - Fixed detect card immediately after detect new reader. - Fixed Watch shutdown immediately if no event commands available. - Fixed win32/win64 dual service support. - Utf8 and unicode support rewritten for Linux/MacOSX. - Updated support for reading/writing IClassID cards. - Fixed configuration parameter [SingleSignOn]>Disable will also disable SSO2, only SSO earlier. - Fixed limitation in configuration file, will handle parsing of bad encoded data object. - Added command line tool for change/unlock pin. - Added support for dual uninstall. Will extract and run silent uninstall for all packages included in the installation package. - Added support Gemalto .NET smart card. - Added support loading zlib library for compression of certificate for interopability with Gemalto .NET smart card minidriver. Will always try to load library zlib.dll/libzlib.so/libzlib.dylib, but file to load may be configured using Compress>Library. - Added support for using hexadecimal values for PIN/PUK. Needed when PUK value is not a string, i.e. 2DES key. All values beginning with '0x' and containing only hexadecimal digits '0'-'9' or 'A'-'F' will be converted. - Added support for dual uninstallation. Using dual installation package to uninstall will uninstall both packages. - Added configuration parameter [CredentialProvider]>BMP(InsertCard) to specify image for insert card prompt. - Changed behavior, will always set root CA certificates as trusted for PKCS11 library. The result is root CA certificates may be trusted by Firefox. - Added reading of mifare and iclassid for Watch/Connector. - Added Certificate Provider for customized certificate selection dialog. - Added Change Credential Provider for customized Ctrl-Alt-Del change PIN dialog. 5.4.1.34: - Fixed uninstall local configuration for Linux/MacOSX. - Added possiblity for install pkcs11 in Firefox profiles for MacOSX/Linux. - Fixed certificate select dialog for MacOSX. - Fixed show pin attempts for SSO2. - Added ATR for Buypass card. - Added configuration parameter to limit the available certificates. Set allowed issuers with [License] > Issuers. All issuers allowed if nothing specified. - Added [Smart Card] > PinType = 4, for only digits allowed. Will be used by card profiles not storing pin information on card, i.e. Buypass. - Enhanced support for sending SSO username/password stored on card to different windows. Will handle edit boxes with any class name as long as test "edit" is part of name. Will also send "enter" to main window if OK button not found. - Updated Setec SetCOS 4.4.1 card, Instant EID IP2 profile, to erase key files before generating new key pairs. - CheckSoftExpire introduced, same behavior as CheckCardExpire, but for soft tokens instead of smart cards. - Possibility to limit the number of supported languages. - Property InvokeWait introduced for plugin, tells number of seconds plugin should wait for eventual refreshing before returning, i.e. certificate mover at WriteCertificate. - Enhanced performance for credential provider. 5.4.0.26: - Fixed support tracesplit/traceparse Linux/MacOSX - Only start dual installation on win64. Will allow single setup containing both win32 and win64. The installation will install win32 for win32 and both win32 and win64 for win64. - Fixed create/destroy SO pin objects for PKCS#11. - Fixed parallel execute of Watch commands. - Fixed background image for Watch. - Credential Provider may use Minidriver instead of CSP. Will be able to load bitmap based on certificate, but no unlock or pin attempts functionality. - Fixed PKCS#11 token flag for pin status with any pin reference, to solve problem with pin status for 2 CIA card. - Fixed minidriver problem with card only supporting T=1. - Fixed create private key for SetCOS 4.4. - Updated card handler locking. No lock required for asking card status without force update. - Added configuration parameter Install>ProductType. Will be appended to product name, i.e. "Net iD OEM"/"Net iD Enterprise". - Fixed problem with two readers with inserted cards on win64. - Fixed check card expire problem (new 5.4). - Fixed Build name with åäöÅÄÖ. - Fixed ResetToken/InitToken for RPS card. - Fixed ResetToken for local portal. - Fixed CSP release context without card access. - Fixed PKCS#11 close session without card access. - Changed behavior for displaying running type on Windows. Will now never show 64-bit Edition, but will always append 32-bit Edition for all dialogs when running on 64-bit machine. - Added file state check for MyEID signature operation. Will require card operational state. - Updated Tokend for MacOSX. - Updated MacOSX/Linux installation to remove configuration sections specific for Windows. - Updated local portal for Safari. - Updated Credential Provider filter, will not block standard smart card provider unless supported usage scenario. - Fixed Credential Provider issues with pin attempts left - Fixed Credential Provider issues with unknown cards. - Updated configuration parameter names for Credential Provider. - Fixed pkcs#11 visibility issue for PIN2 object created with PIN1. Now will object handles be valid for both PIN1 and PIN2 slots, but will only be returned for object search on correct slot. - Added possibility to configure [Smart Card Reader] > Denied. A list of reader names which are not acceptable. - Added support for Credential Provider: presenting PIN attempts left, unblock PIN with PUK and possible to configure presentation for all text fields. - Updated PIN dialog behavior for Plugin/CSP. Generating/importing key pairs or writing certificates for PIN2 will always show both PIN1 and PIN2 dialog (if needed). Both PINs are usually required for updating PIN2 objects. Will not affect when PIN are supplied to CSP/Plugin by caller. - Updated ChangePIN behavior. Will not be able to abort pin change when change required. - Update NetControl. Will show application window name instead of application process name for close question dialog. - Added initial Credential Provider support. Possible to configure different Tile images depending on subject and/or issuer from the certificate. - Added initial Apple Tokend support. - Added support for environment variables for installation directory. - Added possibility to configure CSP friendly name. - Fixed environment variables for Watch command. - Fixed check of key id when adding keys for PKCS#15 profile. - Added package section to configuration for installation of custom packages. - Added fingerprint for plugin EnumProperty CertificateEx. - Added possiblity to configure default certificate for CSP. - Fixed CSP release context without card access. - Fixed PKCS#11 close session without card access. - Fixed problem with dynamic create/destroy for PKCS#15 profile. - Fixed problem with environment variables for GINA. - Added configuration for enable card cache for Minidriver, default false (disabled). - Fixed CertMover problem when looking for current user. - Fixed Net iD Watch for combining 'match', 'message' and 'term' parameters. - Fixed problem searching for first DF when adding new entries for profile PKCS#15. - Fixed NetControl for Firefox with SSO. - Fixed CSP friendly name for certificate. - Fixed initial access problem for reading PIN2 certificates written with PIN1. - Added support for dynamic create/destroy for PKCS#15 profile. For cards without EF(UnusedSpace). - Updated default key usage behavior when generating new key pairs with plugin: PIN1 all (same) and PIN2 non-repudiation (changed). 5.3.0.28 - Net iD Watch may handle insert/remove events for unknown cards. - Net iD Watch may use environment variables for most commands. - Net iD taskbar can handle more custom links - Net iD plugin have full support for non-ascii characters, independed of strange web browser behavior. - Added workaround to handle Microsoft VPN client - New local admin portal for Windows/Linux/MacOSX - Added Net iD Wrapper GINA - Added NetControl close for Firefox 3, Internet Explorer 8 - Added card token label to dynamic strings. May change default names to more user friendly names, i.e. "Instant IP2" > "Tjänstekort". - Added special license agreement for Under Development/Release Candidate - Added license may be issued for specific CA certificates. - Added support for RFID read/write - Added new advanced dialog for certificate selection on Windows - Added support for more extensions for PKCS#10 certificate request - Added soft token support for Safari on MacOSX - Added Apple keychain as new soft token format - Added PIN expire policy - Added PIN history policy 5.2.2.32 - Fixed problem with update counter for SSO2 - Fixed verify pin for PKCS#15 cards with no directory in AODF - Fixed problem with SSO2 and win2003 - Fixed problem with pin case sensitive and utf8 encoded - Fixed write of BID certificates for BEID cards - Fixed UPINO write for BEID card - Added sorting for certificate objects: newest returned first - Fixed write certificate with plugin when wrong slot specified - Fixed enable/disable of multiple network devices - Fixed problem for Microsoft wireless access with soft tokens 5.2.0.26 - File operation Encrypt/Sign will only show valid certificates - Fixed problem with expired certificate for CSP - Fixed problem with validate for non-installed components - Fixed problem with Watch and lock workstation - Added Watch config set command (config/registry) - Added Connector fast match command - Fixed problem with key generation on card - Added plugin invoke ValidateInstallation. Will verify installation is not modified, i.e. components removed/added/updated or configuration updated - Added validate functiontionality for -loadconfig. Will add checksum for all components when called - Added Watch for linux - Fixed problem with key generation on card - Fixed problem with InitToken - Fixed MIME encoding for AdmUtil - Fixed AES encoding for PKCS#7 (compatible Vista) - Fixed SSO service install win64 - Fixed protected mode for update soft tokens - Fixed problem with Watch and lock workstation (card removed and generated lock event before logged in). - Changed behavior on Windows platform. For rsa key generation will pkcs11 library first try to use CryptoAPI, second OpenSSL and third internal. - Apply configuration for Transport will move local soft tokens to global - Added all cards for minidriver - Added OAEP support for CSP - Increased load perfomance for plugin - Changed to global only configuration for NetControl - Updated NetControl to handle minidriver - Updated Transport - Fixed VPN problem with soft tokens - Increased speed performace CSP - Added some SSO support for minidriver - Updated soft tokens to enable default password. - Updated Transport to both decrypt and verify files (DecryptData/VerifyData). - Added SSO as service - Updated Crypt to handle removable devices - Updated Crypt to handle any drive - Updated traceparse (relative path) - Updated traceparse (calculate execution time) - Updated traceparse (handle incomplete file) - Added config entry CallTrace for CSP/PKCS11. A new trace functionality, will only trace function entry and result, so less impact on speed performance. - Added Microsoft standard Save/Open dialogs for plugin - Added generic Run command for plugin - Added new component Transport 5.1.2.16 - Updated RegUtil to handle Template/SubjectAltName extensions - Fixed disable duplicate for CSP 5.1.0.16 - Updated RegUtil to handle Template/SubjectAltName extensions - Added close of specific window classes for Watch - Changed behavoir for Net iD Connector, will now accept certificates without smart card logon extended key usage. - Added support for start of SSO server - Moved all SSO config parameters to new section (SingleSignOn). - Added support for username/password SSO with credentials stored on card. - Added support for local pages for Net iD Web - Added support for custom shortcuts during install - Changed CSP behavior. CSPDestroyKey and CPDetroyHash will always return success, to handle applications not prepared for smart cards. - Updated GINA netcard functionality - Added post data functionality for core library - Fixed update of slot list for AdmUtil at Refresh (F5) - Fixed matching of key pair for generating new key pairs on smart cards - Fixed problem with SSO and soft tokens - Changed behavior for Pkcs11 already logged in. Will only return already logged in case correct PIN given. - Added AdmUtil change PIN for soft tokens (right click in list). - New version of Net iD Crypt, Net iD Watch - Added post data functionality for core library 5.0.0.31 - Added configuration parameter to disable setting of friendly name when register certificate for CryptoAPI - Added duplicate certificate handling in Pkcs11/CSP - Added certificate request attribute for plugin - Added publisher to uninstall info - Trace registry virtualization limited to 10 keys/entries - For duplicate certificates (same issuer/subject) will our select certificate dialog only show newest. - The newest certificate will be default for our select certificate dialog - Soft tokens will get a unique number - Moved some functionality from main library to CSP, to allow CSP to work without loading main library. - Removed admin access warning for Vista when running as administrator - Changed configuration extension: ini => cfg - Added support for SHA-256 for pkcs11/CSP/minidriver (CSP/minidriver require Vista or later) - 64-bit port GINA/SSO/Crypt - Added support for AES-128/192/256 for CSP/PKCS11 - Added support for RSA OAEP for CSP/PKCS11 (AES key wrapping) - Upgrade will copy new config and merge old config entries - Added support for CryptoAPI keypair generation for PKCS11 - Added support for OpenSSL keypair generation for PKCS11 - Added support for CryptoAPI random seed for PKCS11 - Added support for OpenSSL random seed for PKCS11 - Fixed start iidxadm.exe from Taskbar, when installed Program files folder - Fixed support for SSO with soft tokens - Added configuration parameter Install>Special - Fixed SSO encrypt/decrypt with data >1MB - Fixed SSO sign/verify with data >1MB - Added config parameter Smart Card Reader>KeepLoggedInLocked=0/1. When enabled will the behavior be the same as pin pad => no pin cache at all. - Added pin pad entry with feedback - Changed password charcter from "star" to "ball" for WinXP or later - GINA extra window for ctrl-alt-del - SSO may be disabled for applications - Added Net iD Web - iidxweb.exe - Trace print to always include all seconds - Added new config parameter: CSP > KeepSessionAlive=0/1 - Moved global configuration file to install directory - Added config parameter Pkcs11 > ReportWrite - Auto lock of PIN for unlock on Setec SetCOS - Default values always set in config file - Changed behavior, SSO will not auto logout at refresh/finalize - Release library for default certificate when unloading - Updated auto cleanup for CSP/PKCS11 - Trace print to always include all seconds - Added new config parameter: CSP > KeepSessionAlive=0/1 Known Issues ---------------------------------------------------------------------------------------- - OS X 10.9: soft tokens are not automatically imported to Keychain but needs to be manually dropped from /Users/'User'/Library/Keychains to Keychain Access application. - Microsoft´s third party CSP (Cryptographic Service Provider) signing procedure has been changed in the way that the CSP developers are supposed to do the signing themselves. Microsoft has therefore ended their CSP signing service and from Net iD Enterprise v6.1 and forward the signing of the Net iD CSP will be done by SecMaker ourselves using a code signing certificate issued by an issuer recognized by Microsoft. The usage of the CSP after this new CSP signing procedure will work fine with later versions of Windows OSs but for customers using Windows XP and Windows Server 2003 it will cause a problem. There is however a fix available from Microsoft (patch 2836198, http://support.microsoft.com/kb/2836198/en-us) and if installed it will solve the problem. Known Limitations ---------------------------------------------------------------------------------------- - Windows 8.1 and Internet Explorer 11 has only gone through limited testing and issues may occur that haven't been found. However, Net iD Enterprise supports Windows 8.1 and Internet Explorer 11 and possible issues will be fixed in upcoming service releases if they come to SecMaker's attention. Further tests will be made by SecMaker as well. - Mozilla Firefox: Ended support for automatic installation of Net iD Enterprise PKCS#11 module in Firefox on OS X for security reasons. The old behaviour was comparable with the behaviour of a trojan which is not acceptable. A manual workaround to load the PKCS#11 library via nss-modutil is available from SecMaker. System Requirements ---------------------------------------------------------------------------------------- Operating Systems: Macintosh (32-bit and 64-bit versions): - OS X 10.8 - OS X 10.9 (see Known Issues) Microsoft Windows (32-bit and 64-bit versions): - Windows Server 2012 Standard Edition - Windows Server 2012 Datacenter Edition - Windows Server 2008 R2 Standard Edition - Windows Server 2008 R2 Enterprise Edition - Windows Server 2008 Standard Edition - Windows Server 2008 Enterprise Edition - Windows Server 2003 R2 Standard Edition - Windows Server 2003 R2 Enterprise Edition - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition - Windows 8.1 (see Known Limitations) - Windows 8.1 Pro (see Known Limitations) - Windows 8.1 Enterprise (see Known Limitations) - Windows 8 - Windows 8 Pro - Windows 8 Enterprise - Windows 7 Home Basic - Windows 7 Professional - Windows 7 Enterprise - Windows 7 Ultimate - Windows Vista Home Basic - Windows Vista Business - Windows Vista Enterprise - Windows Vista Ultimate - Windows XP Home Edition - Windows XP Home Edition - Windows XP Professional Linux (32-bit and 64-bit versions): - Ubuntu 13.04 - Ubuntu 13.10 Web browsers: - Microsoft Internet Explorer 7 (only for Windows XP and not supporting GUI v6) - Microsoft Internet Explorer 8 - Microsoft Internet Explorer 9 - Microsoft Internet Explorer 10 (only Desktop mode supported) - Microsoft Internet Explorer 11 (only Desktop mode supported, also see Known Limitations) - Mozilla Firefox 21.0 (tests only performed on releases supported by Mozilla) - Google Chrome v27.0 (tests only performed on latest release supported by Google) - Safari 5.1.7 for OS X - Safari 6.0.3 for OS X Smart cards, Smart card Profiles and EID-applets Support ---------------------------------------------------------------------------------------- Smart cards: - Axalto Cryptoflex - Gemalto .NET Smart Cards - Gemalto GemXpresso - Gemalto PIV cards - IBM JCOP 21, 31, 41 - Net iD Live .NET - Oberthur Cosmo v7.0 IAS ECC - Setec SetCOS 3.4, 4.3, 4.4, 5.0 - Setec SetCosXpresso - Siemens CardOS 4.01, 4.20, 4.30 Profiles: - ISO 7816-15 - Microsoft Minidriver 4.0, 5.0, 6.0 - PKCS#15 - SS614330 (Swedish EID card standard) - Examples of verified PKCS#15/ISO7816.15 profiles: -- FINEID S4 -- FK EID IP5b -- Gemalto Instant EID IP8 -- Gemalto Instant EID IP9 -- Gemalto Tjanstekort EID -- Skatteverket IAS-ECC card -- Telia EID IP2 -- Telia EID IP5 -- VRK (Finnish healthcare smart card) EID applets: - EVRY Multi EID - Gemalto GemSAFE (Classic) v1, v2 and v3 applets - Gemalto EID2048 applet - Gemalto IAS ECC (limited support) - HID ISO/7816-15 applet - HID ActivIdentity appletframework v1 applet - Oberthur IAS ECC applet - Taglio Applet v1.60 Smart card readers ---------------------------------------------------------------------------------------- -Support for card readers as per PC/SC standard Standards ---------------------------------------------------------------------------------------- -MS Cryptographic Service Provider (CSP) for MS CryptoAPI -Standard PKCS #11, PKCS #12, PKCS #15 -Standard ISO7816-15 -Standardized digital signatures – PKCS #7 -Standard client identification as per SSL 3.0 -European Citizen cards, IAS ECC specifications Upgrade from earlier Net iD Enterprise versions ---------------------------------------------------------------------------------------- Supported versions to upgrade from: -Net iD version 6.0.x.x -Net iD version 5.6.x.x -Net iD version 5.5.x.x Other Resources and Links ---------------------------------------------------------------------------------------- Visit www.secmaker.com for more information. Feedback ---------------------------------------------------------------------------------------- Please forward your comments and problem reports to the following e-mail addresses. Problem discovered should be reported by sending an e-mail to netid@secmaker.com You can also give us feedback by sending an e-mail to feedback@secmaker.com SecMaker AB Hesselmans Torg 5 SE-131 54 Nacka, Stockholm SWEDEN +46 8 601 23 00