Netscape MANAGEMENT SYSTEM 6.2 - AGENT GUIDE Manual page 15

reliable authentication services and therefore trusts any signed requests it
submits. The Certificate Manager processes the requests and issues the
certificates. The Registration Manager then distributes the certificates to the
end entities.
• Data Recovery Manager—A Data Recovery Manager oversees the long-term
archival and recovery of private encryption keys for end entities. A Certificate
Manager or Registration Manager can be configured to archive end entities'
private encryption keys with a Data Recovery Manager as part of the process
of issuing new certificates. The Data Recovery Manager is useful only if end
entities are encrypting data (using applications such as S/MIME email) that
the organization may need to recover someday. It can be used only with client
software that supports dual key pairs—that is, two separate key pairs, one for
encryption and one for digital signatures. This service is available in newer
clients only; for example, Communicator versions 4.7x (with Netscape Personal
Security Manager installed), Netscape 6.2, and Netscape 7.x all support
generation of dual key pairs. The Data Recovery Manager archives encryption
keys. It does not archive signing keys, since such archival would undermine
nonrepudiation properties of dual-key certificates.
• Online Certificate Status Manager—A Online Certificate Status Manager
performs the task of an online certificate validation authority, by enabling
OCSP-compliant clients to do real-time verification of certificates. The Online
Certificate Status Manager can receive CRLs from multiple Certificate
Managers and clients can query the Online Certificate Status Manager for the
revocation status of certificates issued by all these Certificate Managers. For
example, in a PKI comprising multiple CAs (a root CA and many subordinate
CAs) each CA can be configured to publish its CRL to the Online Certificate
Status Manager. This way, all clients in the PKI deployment can verify the
revocation status of a certificate by querying the Online Certificate Status
Manager.
Note that an online certificate-validation authority is often referred to as OCSP
responder.
Since CAs can delegate some responsibilities to subordinate CAs, a Certificate
Manager might delegate responsibilities to one or more levels of subordinate
Certificate Managers, and each Certificate Manager can interact with multiple
Registration Managers. Therefore many complex variations are possible.
Three kinds of entities can access CMS subsystems: administrators, agents, and end
entities. Administrators are responsible for the initial setup and ongoing
maintenance of the subsystems. Administrators can designate users with special
privileges, called agents, for each subsystem. Agents manage day-to-day
interactions with end entities (people, SSL-enabled servers, routers, and so on) and
Overview of Certificate Management System
Chapter 1 Agent Services 15