Netscape MANAGEMENT SYSTEM 4.5 Installation And Setup Manual page 92

Some Enrollment Scenarios
results from salting and hashing. When customers use the PIN to enroll in the Atlas
PKI, the PIN is automatically removed from the directory. Enrollment PINs are
therefore more reliable than passwords, which must be protected over a long
period of time.
Acme's process involves the following steps (illustrated in Figure 2-5):
Generate PINs. The CMS administrator runs the CMS PIN Generator against
1.
the existing directory, populating each entry with a unique PIN.
Write out PIN records. The CMS administrator uses the CMS PIN Generator to
2.
write out PIN records for use by an out-of-band delivery mechanism.
Out-of-band delivery. The user receives the PIN via a batch mailing system,
3.
payroll stub, invoice form, or other out-of-band delivery mechanism.
Request certificate (using PIN). The user goes to a specified Registration
4.
Manager URL, fills in name and PIN, and submits a certificate request.
Authentication (using PIN). The Registration Manager uses the standard CMS
5.
PIN-based directory authentication module to verify the PIN against the
directory.
Request certificate. If authentication against the directory is successful, the
6.
Registration Manager performs policy processing and, if this succeeds,
forwards the request to the Certificate Manager.
Issue certificate. The Certificate Manager performs its own policy processing
7.
and, if all goes well, issues the certificate.
Deliver certificate. If the Certificate Manager issues the certificate, the
8.
Registration Manager delivers it to the end user in the same session. If the
request is unsuccessful for any reason, the Registration Manager displays a
web page to the user explaining the problem and what to do about it.
92 Netscape Certificate Management System Installation and Setup Guide • October 2001