===============
ENTRUST(R) INC.
===============

Release notes for Entrust/Direct(TM)
Date: October 2001
Release: 6.0 service pack 1

Thank you for your interest in Entrust/Direct. This product is subject to the terms detailed in the license agreement.

For more information about Entrust products, please visit our Web site at http://www.entrust.com.

===================
System requirements
===================

- Pentium-class processor
- 16 MB RAM (32 recommended)
- 2.6 MB available disk space (depending on configuration), plus 6 MB temporary free space needed for the installation
- Microsoft(R) Windows(R) 95 OSR 2 (950b), or OSR 2.5 (950c), Windows 98, Windows 98 Second Edition, Windows Millenium, Windows 2000 Professional, Windows 2000 Professional with Service Pack 1 and 2, Windows NT(R) 4.0 with Service Pack 3-6a
- An Entrust profile created using Entrust/PKI(TM) 4.0 or higher
- A proxy-capable Web browser. The Entrust/Direct client for Windows 95/98/2000 and Windows NT 4.0 supports the following browsers:
	- Netscape(R) 4.0, 4.01, 4.02, 4.03, 4.04, 4.05, 4.06, 4.07, 4.08, 4.5, 4.51, 4.6, 4.61, 4.7, 4.71, 4.72, 4.73, 4.74, 4.75, 4.76, 4.77, 6.x
	- Microsoft Internet Explorer 4.0, 4.01, 4.01 SP1-SP2, 5.0, 5.01, 5.01 SP1-SP2, 5.5, 5.5 SP1, 6.0
- If you do not want to store your profile on your hard drive, you can store it on a hardware token that supports
PKCS#11 v2. For information about security hardware support and Entrust products, please refer to the Partners
section of the Entrust web site (http://www.entrust.com/partners). Consult the Entrust-Ready(TM) Status
Matrix for Hardware products (http://www.entrust.com/partners/matrix.pdf) for a complete list of
Entrust-Ready hardware tokens, smartcards, biometrics, and other security devices.

==============================
Features of 6.0 service pack 1
==============================

Internet Explorer 6.0 is now supported.

===============
Features of 6.0
===============

In Microsoft Internet Explorer, Entrust/Direct now disables the "Bypass proxy server for local addresses" check box every time users launch Entrust/Direct. If this option is enabled, the browser bypasses the Entrust/Direct client plug-in and the user is denied access to all local Entrust/Direct-protected Web sites.

In Microsoft Internet Explorer, Entrust/Direct now disables the "Do not use proxy server for addresses beginning with" check box every time users launch Entrust/Direct. You can achieve the same results by using an autoproxy script.

You can now include any HTTP headers in the Entrust/Direct client plug-ins POST requests to the Entrust/Direct Web server proxy. The headers are specified in the Entrust/Direct client plug-in entrust.ini/etdirect.ini file and can be pre-defined HTTP 1.0 and 1.1 headers listed in the RFC 2616 document available at www.w3.org (for example, "From" ) or headers of your own choosing. See the Entrust/Direct 6.0 Administration and deployment guide for details.

Administrators no longer have to install the Entrust/Direct client plug-in into Entrust/DesktopDesigner because the Entrust/Direct client plug-in files are now included in Entrust/DesktopDesigner. This means that administrators can customize the client-side setup program immediately after they install Entrust/DesktopDesigner.

Users can now view the certificates of Entrust/Direct-protected Web servers to which they are connected. To implement this new feature, the following changes have been made to Entrust/Direct:

-A menu item called "View" has been added to the Entrust/Direct main window. It offers a list of the Entrust/Direct-protected Web servers to which a user is currently connected. 
-A menu item called "View Server Certificate" has been added to the pop-up menu that appears when users right-click the Entrust/Direct key in the Windows tray. Like the new View menu, It offers a list of the Entrust/Direct-protected Web servers to which a user is currently connected.
-A new "ViewServerCert" entry in the [Entrust Direct] section of the Entrust/Direct client plug-in entrust.ini file specifies whether to display the View Server Certificate menu items. Setting "ViewServerCert=0" removes the View and View Server Certificate menus from the Entrust/Direct main window and pop-up menu.

See the online help (etdirect.hlp) for details on how to view the Web server certificates. See the Entrust/Direct 6.0 Administration and deployment guide on how to enable or disable this feature.

A new "DebugStringsLogged" entry allows administrators to specify the number of debug strings logged in the error log files generated by the Entrust/Direct client plug-in. See the Entrust/Direct 6.0 Administration and deployment guide for details.

If you are using Netscape browsers, you can specify browser-specific command-line options such as "-sk" (which removes the tool, menu and status bars) and "-P" (which allows you to specify a Netscape profile) within "-browser" command-line option. See the Entrust/Direct 6.0 Administration and deployment guide for details.

===========================
Fixed in 6.0 service pack 1
===========================

When a user times out on a multi-frame Web site, logging back in caused both frames to be refreshed at the same time. This concurrent refresh caused errors. To fix the problem, Entrust/Direct now queues update requests.

The "InitialBrowserUrl" setting is now case-sensitive.

The password lifetime user policy setting is now respected in Online mode. Note that when in SEP by Proxy mode, policies are not supported.

When creating a profile, users can now take as long as they want to enter their password in the Set Password dialog box. In previous releases of Entrust/Direct, waiting longer than four minutes to enter a password caused the user to be revoked.

Entrust/Direct now attempts to store the etdirect.tmp file (which is created when users launch the Entrust/Direct client plug-in) in the Windows user profile temporary folder. If this attempt fails,  Entrust/Direct stores the file in the Entrust/Direct installation folder. The error dialog box that used to be displayed because of the failure to create this file is now suppressed.

The "ViewServerCert" entry in the [Entrust Direct] section of the Entrust/Direct client plug-in entrust.ini file is now set to "1" by default. 

This new default setting ensures that the View and View Server Certificate menus appear on the Entrust/Direct main window and pop-up menu.


============
Fixed in 6.0
============

The Policy certificate is now followed for encryption algorithms when the Entrust/Direct client plug-in is in the Extranet configuration. Note that when in SEP by Proxy mode, the encryption algorithm still defaults to CAST-128.

============
Known issues
============

If using Entrust/Direct in Extranet mode with PKCS#11 v2-compliant  hardware tokens, ensure the "CryptokiLibrary" setting in the Entrust/Direct client entrust.ini file reads exactly as follows:
 
CryptokiLibraryNT& CryptokiLibrary95 = <pkcs v2 crypto dll>

Users may receive an error message if they try to initiate an HTTP request

 -- while downloading a large response that has been separated into packets of data. 
 -- after canceling a large response that has been separated into packets of data.

Clicking the "Reload" or "Refresh" button reissues the request and return a successful response.

If a user carries a profile on different Smart Cards, he can not insert his Smart Cards and then try to simultaneously connect to Entrust/Direct. In the event of a simultaneous connection, the Entrust/Direct client plug-in only recognizes one of the Smart Cards and ignores the others.

It is advised not to bookmark pages within Entrust/Direct-protected sites. The bookmarked url may contain sensitive information which will reside unencrypted in the browser's bookmark store. 

Hardware tokens are not supported if you are using Entrust/Direct in an Extranet configuration and the SEP by Proxy feature is enabled.

The Entrust/Direct GUI does not allow users to include backslashes in their passwords.  For  example, a password such as "App3\ABC" generates the following error message:

"Cannot change your Entrust password.  Internal error.  (-1552) Local character set translation to Unicode failed."

This issue applies only to Entrust/Direct Extranet users who must use Entrust/Direct to create passwords. Intranet users create passwords in Entrust/Entelligence where backslashes are permissible.

If you have configured the Entrust/Direct client plug-in to run in Offline mode, revoked users are still able to log in. This problem arises because the Entrust/Direct Web server proxy's Certificate Revocation List (CRL) cache is only updated every 24 hours in Offline mode. When the revoked users attempt to log in within this 24 hour period, the CRL cache does not yet list their certificates and they are permitted to log in. To fix this problem, locate the Entrust/Direct Web server proxy entrust.ini file and set the "CrlCacheEnabled" entry to '0'. Disabling this entry ensures that the Entrust/Direct Web server proxy links to the Entrust/Directory to obtain CRL information instead of using its cache. 

If Microsoft Office 97 is installed on users' computers, we strongly recommend that the following security patches also be installed:

	http://officeupdate.microsoft.com/articles/sr2fact.htm
	http://officeupdate.microsoft.com/downloadDetails/xl97cfp.htm
	http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm
	http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm
	http://officeupdate.microsoft.com/articles/mdac_typ.htm
	http://officeupdate.microsoft.com/downloaddetails/Xl8p7pkg.htm

If you create a profile with Entrust/Direct and then attempt to log in through Entrust Single Sign-On (installed with Entrust/Entelligence), you may be warned that you have chosen an invalid encryption algorithm. To prevent this warning, right-click the Entrust icon (not the Entrust/Direct icon) in the Windows tray, click Entrust Options > Security, select an encryption algorithm from the "Entrust encryption algorithm" drop-down menu, and click "OK".

Some older browsers require that you  manually select the application to associate with the extension ".etd" or the MIME (Multipurpose Internet Mail Extension) type "application/x-Entrust-Direct".

If a Netscape browser is running when you launch Entrust/Direct, you will be prompted to have your browser shut down and restarted. Do not attempt to start another instance of the browser until Entrust/Direct has finished shutting down the current browser instance and has restarted another. If you don't wait, Entrust/Direct may not update the browser's proxy settings and may not be able to access Entrust/Direct-protected Web sites.

It is recommended that you uninstall older versions of Entrust/Direct before installing Entrust/Direct 6.0.

==================
Installation notes
==================

Double-click the Entrust/Direct installation icon (or run setup.exe) and follow the on-screen instructions.

=============
Documentation
=============

Entrust/Direct provides three sets of documentation:
--Entrust/Direct online help (etdirect.hlp): This is the user documentation. It is accessed by clicking the Help menu on the main window, or the help buttons on any of the secondary windows.
--Entrust/Direct 6.0 Administration and deployment guide (direct_guide.pdf): This administrator's guide provides information on how to install and configure an Entrust/Direct system. It is available on the Entrust/Direct Server Proxy CD in the root folder.
--Entrust/Direct QuickStart guide (direct.pdf): Administrators distribute a paper copy of this guide to users so that they can get up and running quickly. The guide is available on the Entrust Desktop Solution CD in \documentation\Quick Start Guides. If you are printing your guide in the United States, ensure that you are using US letter paper. For all other countries,  use A4 or B4 paper. 

=====================
Trademark information
=====================

Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries.  All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries.  All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.  
