===============
ENTRUST(R) INC.
===============

Release Notes for Entrust/Direct(TM) client plug-in
Date: January 30, 2003
Release: 6.0 Service Pack 2


========
Overview
========

This service pack includes added features and resolved issues to the Entrust/Direct client plug-in 6.0.  This service pack modifies and/or replaces existing Entrust/Direct client plug-in 6.0 files in Entrust/DesktopDesigner.  It cannot be directly installed on an end user's machine.  See the section below on Installation Notes for more information.

For a complete list of supported platforms for this service pack, please visit the Entrust Platform Support and Integration Center: https://www.entrust.com/support/psic/


============================
New features in this release
============================

Extended platform support
-------------------------
- The following features have been added to this release:
  - Microsoft(R) Windows(R) XP SP1 is now supported.
  - Netscape(R) Communicator 4.8, Netscape 7.0, and Microsoft(R) Internet Explorer 6.0 SP1 are now supported. (68564)

Offline by default mode
-----------------------
- In Extranet mode, the Entrust/Direct client plug-in now has settings to control the login behavior.  The settings "offlineByDefault" and "onLineInterval" in the [Entrust Direct] section of the entrust.ini file can be used to force the Entrust/Direct client plug-in to login offline and to periodically login online in order to synchronize certificate information.  By default the offlineByDefault setting is set to 0, so the user attempts to login online every time.  By setting offlineByDefault to 1, the user logs in offline until the onLineInterval is reached.  The onLineInterval setting specifies the maximum number of days that the user can login offline.  Once this period is reached or the user is in a key update period, the user is forced to login online.  Valid values for the onLineInterval setting are between 1 and 30 days.  The default value for onLineInterval is 20 days.  These settings are only supported in online Extranet mode.  SEP by Proxy users always login in an offline manner.  Note that when the user logs in in an offline manner, certain limitations exists with respect to key management and user status.  Please refer to the "Offline Login Limitations" section of this file for more details.  (70287)

Chain proxy setting
-------------------
- The Entrust/Direct client plug-in now allows administrators to specify the address of an intermediate HTTP proxy with the "chainProxy" setting in the [Entrust Direct] section of the entrust.ini file.  In this scenario, the browser's proxy settings are ignored.  The format for the chainProxy setting is: "host port".  For example, "chainProxy=proxy.mycompany.com 80".  If the chainProxy setting is omitted, the browser's proxy settings are used. (67185)

Microsoft automatic configuration files
---------------------------------------
- Microsoft ".ins" automatic configuration files are now supported.  Automatic configuration files generated by the Microsoft Internet Explorer Administration Kit (IEAK) are now downloaded from a web server and parsed by the Entrust/Direct client plug-in to read the intermediate HTTP proxy settings.  IEAK automatic configuration files are only supported with Microsoft Internet Explorer. (44968)


=====================
Fixes in this release
=====================

The following known issues and limitations have been resolved for this release.

- In online Extranet mode, the wording on the "must have at least one uppercase character" and "must not contain any repeating characters" password rules have been clarified. (43044, 67796)

- The Direct Diagnostics Utility now correctly identifies Windows XP. (58098)

- The Entrust/Direct client plug-in no longer crashes when the "ClientType" setting is set to "lite" in the entrust.ini file.  An error message is now shown to advise the user to change this setting to "heavy". (45597)

- During installation Netscape Communicator is now configured to correctly handle the Entrust/Direct client plug-in MIME type.  This fix avoids the "Open / Save As..." dialog when an .ETD file is downloaded in the browser. (50103)

- In Intranet mode, the Entrust/Direct client plug-in no longer prompts the user to login twice when using an Entrust profile that has single sign-on disabled. (26262)

- The "Help" button on the Extranet Login dialog now works in all scenarios. (33312)

- Previous versions of the Entrust/Direct client plug-in no longer need to be uninstalled before applying this service pack to Entrust/DesktopDesigner.

- The Entrust/Direct client plug-in can now correctly handle URL's containing web server basic authentication usernames and passwords when Netscape is used as the default browser. (72011)


=======================================
Changes included from previous releases
=======================================

The following known issues and limitations have been resolved and incorporated from previous releases.

Entrust/Direct 6.0 patch 66665EN
--------------------------------
- In SEP by Proxy mode, the Entrust/Direct client plug-in allows users to retry if they provide an invalid password during profile creation/recovery. (66665)

- The Entrust/Direct client plug-in prevents cross-site scripting attacks that include malicious code in an invalid URL or HTTP request. (66585)

- The Entrust/Direct client plug-in allows Internet Explorer browsers to return to the previous page when the user cancels a digital signature confirmation dialog. (55673)

- The Entrust/Direct client plug-in will drop inactive connections after 5 minutes by default. The timeout can be modified by changing the "HttpTimeout" setting in the "[Entrust Direct]" section of the entrust.ini file. (67495)


Entrust/Direct 6.0 patch 63426
------------------------------
- The Entrust/Direct client plug-in opens fewer connections to the directory. (54103)

- The valid range for session timeouts and credential timeouts has been increased from 15 minutes to 1 hour. (63046)

- The Extranet login dialog stays open until the user completely logs into Entrust. (63426)


Entrust/Direct 6.0 patch 59056EN
--------------------------------
- The Entrust/Direct client plug-in makes a stronger attempt to re-establish a dropped dial-up connection by invoking the dial-up networking dialog. (58231)

- The Entrust/Direct client plug-in authenticates successfully to an iPlanet(TM) Web Proxy Server when creating a profile or updating a user's keys. (54316)

- The Entrust/Direct client plug-in includes extra HTTP headers when posting a SEP By Proxy request.  This fix improves interoperability with HTTP proxies and firewalls. (59056)


Entrust/Direct 6.0 patch 54289EN
--------------------------------
- The Entrust/Direct client plug-in recovers the user's identity when password expiry is part of the user's policy. (54289)

- The Entrust/Direct Extranet setup handles the settings "CreateStartUpShortcuts" and "StartUpShortcutCommandLine" in the [DirectExtranet] section of the entsetup.ini file. (58616)


Entrust/Direct 6.0 Service Pack 1 
---------------------------------
- The View Server Certificate functionality is enabled by default in SEP by Proxy mode.  Consequently, users are able to view the Entrust/Direct-protected Web server's public verification certificate after visiting the protected site.  To disable the View Server Certificate functionality, you must set "ViewServerCert=0" in the Entrust/Direct client plug-in entrust.ini file.

- In SEP by Proxy mode, the Set Password dialog box prevented the final profile creation acknowledgement from being sent to the Entrust/Direct Web server proxy until the user pressed the "OK" button.  Previously, if the user took longer than the threshold period of time to click the "OK" button (as set by the "ListenTimeout" entry in the entmgr.ini Entrust Authority(TM) configuration file) the user was revoked and could not access the Entrust/Direct Web server proxy once the newly created profile's CRL expires. This service pack addresses this problem so that the user can take as much time as they want to set their password for their profile.

- The Entrust/Direct client plug-in handles concurrent requests better for security context establishment to the Entrust/Direct Web server proxy.  More specifically, the Entrust/Direct client plug-in can handle scenarios in which a user clicks a hyperlink that initiates an update for multiple frames in the browser and more than one frame displays secure content from the Entrust/Direct-protected Web site.

- The Entrust/Direct client plug-in stores the browser's original proxy settings in a folder where the user has write permission.  This avoids the warning dialog that states that a temporary file cannot be written. 


=========================
Offline login limitations
=========================

A number of limitations apply when the user logs in to the Entrust/Direct client plug-in in extranet mode with the offline login feature during an offline login period.  This section details each limitation and their available workarounds.  All of the limitations below exist only when the user is logging in offline.  If the user is in an online login period, the following limitations do not apply.

Disabled user status is not enforced
------------------------------------
- The enabled/disabled status of a user is stored in the directory and is normally handled during the login process.  When the user is logging in offline, the status of the user is not checked in the directory.  As a workaround, revoke the user instead of disabling them.

DN change operation does not work
---------------------------------
- The DN change flag is stored in the directory and is normally handled during the login process.  When the user is logging in offline, the DN change flag is not checked in the directory.  As a workaround, revoke the old user and create a new user with the new DN.

Forced key update does not occur
--------------------------------
-  The forced key update flag is stored in the directory and is normally handled during the login process.  When the user is logging in offline, the key update flag is not checked in the directory.  As a workaround, perform a key recovery operation instead of a key update.

User revocation is not checked during login
-------------------------------------------
-  The revocation status of a user is stored in the directory and is normally handled during the login process.  When the user is logging in offline, the revocation status is not checked in the directory.  No workaround is needed for this limitation.  A revoked user will not be able to establish a secure session with an Entrust/Direct protected web site since the Entrust/Direct Server Proxy checks the user's revocation status.


============
Known issues
============

- Netscape Quick Launch, a feature included in Netscape 6 and above, is not supported.  Netscape Quick Launch allows parts of the Netscape browser to remain resident in memory at all times.  This conflicts with how the Entrust/Direct client plug-in monitors the browser process and overrides its proxy settings.  Netscape Quick Launch must be disabled before running the Entrust/Direct client plug-in. (72906)

- Creating and recovering Entrust profiles using the command line is not supported in this release. (74151,74363)


==================
Installation notes
==================

This service pack applies to the Entrust/Direct client plug-in versions 6.0 and above.  Administrators will need to apply this service pack to their existing Entrust/DesktopDesigner installation and create a new setup package for the Entrust/Direct client plug-in.  This service pack can not be directly installed on an end-user machine.

To install this service pack, double-click the setup executable.


====================
Uninstallation notes
====================

There are no special uninstallation instructions for this service pack.  To remove the service pack, you must uninstall Entrust/Direct or Entrust/DesktopDesigner and then reinstall Entrust/Direct or Entrust/DesktopDesigner.


=====================
Trademark information
=====================

Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries.  All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries.  All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.
