Privacy and Security Preferences - Validation
This section describes how to use the Validation Settings panel. If you are not already viewing the panel, follow these steps:
- Open the Edit menu and choose Preferences.
- Under the Privacy and Security category, choose Validation. (If no options are visible under Privacy and Security, click its triangle to expand the list.)
For background information on certificate validation, see How Certificate Validation Works.
A certificate revocation list (CRL) is a list of revoked certificates that is generated and signed by a certificate authority (CA). It's possible to download a CRL to your browser, which can check against it to make sure that certificates are still valid before permitting their use for authentication.
Click Manage CRLs to see a list of the CRLs available to Certificate Manager.
To delete a CRL, select it and then click Delete.
The Online Certificate Status Protocol (OCSP) makes it possible for Certificate Manager to perform an online check of a certificate's validity each time the certificate is viewed or used. This process involves checking the certificate against a certificate revocation list (CRL) maintained at a specified web site. Your computer must be online for OCSP to work.
To specify how Certificate Manager uses OCSP, choose one of these settings in the OCSP section of Validation Settings:
- Do not use OCSP for certificate verification. Select this setting if you don't want Certificate Manager to perform an online status check each time it verifies a certificate. Instead, whenever Certificate Manager performs certificate verification, it only confirms the certificate's validity period and that it is correctly signed by a CA whose own CA certificate is both listed under the CA Certificates tab (in the main Certificate Manager window) and marked as trusted for issuing that kind of certificate.
- Use OCSP to verify only certificates that specify an OCSP service URL. Select this setting if you want Certificate Manager perform an online status check each time it verifies a certificate that specifies a URL for the purpose of performing such a check. If a URL is specified by the certificate, Certificate Manager makes sure that the certificate is listed there as valid and checks the validity period and trust settings.
- Use OCSP to verify all certificates, using the URL and signer specified here. Select this setting if you want Certificate Manager to perform an online status check each time it verifies any certificate. If you select this setting, you should also choose the certificate from the Response Signer pop-up menu that identifies the signer of the OCSP responses. With this setting, the only certificates Certificate Manager recognizes are those that can be verified by an OCSP response signed with the Response Signer certificate (or signed using a certificate that chains to it).
When you choose a Response Signer certificate from the pop-up menu, Certificate Manager fills in the Service URL (if available) for that signer automatically. If the Service URL is not filled in automatically, you must provide it yourself; ask your system administrator for details.
Copyright © 1994-2001 Netscape Communications Corporation.