Versions Compared

Version Old Version 115 New Version 116
Changes made by

Ylva Andersson

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Comment: This article is new for Smart ID Identity Manager 24.R1.

Remember to update the release version number before publishing externally.

Info

This article includes updates for Smart ID Identity Manager 24.R1.

...

Signing and validation of the configuration files

Required

David Banz this info is missing for ConfigZipSigner, so just want to confirm that it was not forgotten. Should I remove this section?Always

Configured in the following applications

...

Certificate requirements

David Banz this section is here, but also in a different format below under “Supported types”., Which section is correct and which one should be removed?
USE THE SECOND ONE

  • If key usage extension is critical, then digitalSignature is required

  • Issuing certificate has to be installed in the Identity Manager trust-store

  • Certificate must not be self-signed

...

Signing and verification of the object history

Required

David Banz this info is missing for ObjectHistorySigner, so just want to confirm that it was not forgotten. Should I remove this section?Always

Configured in the following applications

...

Send signed e-mails from IDM

Required

David Banz this info is missing for SignEmailDescriptor, so just want to confirm that it was not forgotten. Should I remove this section?When e-mail signing is configured

Configured in the following application

...

  • Proper S/MIME certificate with configured IDM e-mail sender address in DN's E field and/or SAN RFC-822 entry

    • If subject DN email field is absent, SAN extension must be criticalMcritical

    • IDM up to 23.10.x only accepted SAN and ignored DN.E (fixed in IDM 24.R1) David Banzcan we rewrite this last part to just say it is fixed in this version?

  • must not be self-signed

  • Key usage:
    If present, must be critical and at least either digitalSignature or nonRepudiation

  • Validity:
    Adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods (825 days max. at the time of writing) David Banz can we remove or clarify this last part to not have to update in the future?

hermodDeviceEnc

Info

Descriptor included in default configuration.

Bootstrapping required for technical reasons, but with relaxed security requirements compared to other use-cases.

...