System Overview
48
Netscape Certificate Management System Installation and Setup Guide • May 2002
Data Recovery Manager
A Data Recovery Manager performs the long-term archival and recovery of private
encryption keys for end entities. A Certificate Manager or Registration Manager
can be configured to archive end entities’ private encryption keys with a Data
Recovery Manager as part of the process of issuing new certificates. End-entities do
not have direct access to the Data Recovery Manager.
The Data Recovery Manager is useful only if end entities are encrypting data (using
applications such as S/MIME email) that the organization may need to recover
someday. It can be used only with client software that supports dual key
pairs—that is, two separate key pairs, one for encryption and one for digital
signatures. This service is available in newer clients only; for example,
Communicator versions 4.7x (with Personal Security Manager installed) and
Netscape 6 support generation of dual key pairs. Dual key pairs allow an end
entity to get a new signing certificate and signing key pair without changing the
encryption certificate or encryption key pair.
Note that the Data Recovery Manager archives encryption keys. It does not archive
signing keys, since such archival would undermine nonrepudiation properties of
dual-key certificates. This crucial element of a PKI allows an authorized
key-recovery agent to recover an encryption key that has been lost or corrupted
without changing the signing certificate or signing key pair. For example, if agents
or administrators are authorized to perform key recover operations, they can
recover encryption keys for employees who have left the company or who are
unavailable for some other reason. In either case, once the encryption key has been
recovered, the user or administrator can use it to decrypt any data (such as saved
email messages) that was encrypted with that key.
The Data Recovery Manager uses two special key pairs in the process of archiving
an end entity’s encryption key: a transport key pair (and certificate) and a storage
key pair. The end entity must also have two key pairs: a signing key pair and an
encryption key pair. The roles of all these keys are summarized in Table 1-1.
Summary of Contents for NETSCAPE DIRECTORY SERVER 6.01
Page 1: ...Installation and Setup Guide Netscape Certificate Management System Version6 01 May 2002...
Page 22: ...22 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 32: ...32 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 160: ...160 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 776: ...776 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 807: ...807 Part 5 Appendix Appendix A Certificate Download Specification...
Page 808: ...808 Netscape Certificate Management System Installation and Setup Guide May 2002...
Page 830: ...830 Netscape Certificate Management System Installation and Setup Guide May 2002...