GemSafe Libraries 4.2.0-015 : Gold Release

This document describes the limitations of GemSafe Libraries 4.2.0 and major 
improvements that have been made since the launch of its initial 4.1.i version.
Please read this document carefully for the most recent updates.


Improvements Since launch of GemSafe Libraries 4.1.i
-----------------------------------------------------
- Import / export certificat
- Remote unblock PIN (Help Desk tool not provided)
- Citrix compliant
- Terminal Services compliant
- Support GemXpresso GemSafe-IS smart card (Identrus keys only)
- Support GemXpresso GemSafe smart card with user PIN (for non Identrus keys)and Identrus PIN (for Identrus keys)
- VASCO reader support (driver not included)
- Support Windows XP SP2
- Japanese language supported


Limitations:
------------
Caution: Some non-standard installation path names are not supported and will disable 
the installation procedure.
 The configuration file (.gsl) is not compliant between the different GemSafe 
Libraries releases (Id 320)
 Uninstalling the drivers readers is not recommended
 GemSafe ToolBox does not support low Color Quality settings (i.e., less than 256 
colors) for the display. (Id 134)
 The GemSafe ToolBox requires the use of the mouse (Id 135)


 In some situations, the function "erase all" does not erase every object on the card, and the amount of card 
memory space is less than expected. Likely propriatary objects occupy the used memory space. (Id 430)
 The configuration of the Unblock PIN remotely window (help desk information and phone number) is done in the HelpDesk.ini,
which is found in the root of the default installation directory. 
 The Weak PIN list on the Pin Policy tool is limited to 50 entries with PIN lengths of 16, and 
100 entries with PIN lengths of 8. (Id 603)
 GemSafe Libraries supports a public or private Elementary File with a maximun size of 16384 bytes. (Id 601)
 There are limitations with the PKCS#11 signature mechanisms CKM_MD5_RSA_PKCS and CKM_SHA1_RSA_PKCS.
 The use CKM_RSA_PKCS is recommended. (Id 604)

 Installation / Uninstallation limitations 
- If during installation the CD is removed , the installation process will stop. You 
should therefore contact the Gemplus Hot line (Id 187)
- Installing the Administrator package and an End-user package on the same PC will 
not provide any additional features than those already offered with the installation of 
the Administrator package only. This kind of mixed configuration is not supported by 
GemSafe Libraries.
- After copying and pasting the contents of the EULA licence to a text editor the 
installation screen window will be empty but you can continue the installation as 
normal. (Id 124)
- If you have an issue installing GemSafe Libraries over top of a former GemSafe Librarires, please manually remove 
the old GemSafe Librariries before installing. (Id 446)

 Limitations using Windows 9x, Me & NT4 Operating Systems:
- During installation, the following InstallShield message occurs "Files in Use". Click 
Ignore and continue the installation as normal. (Id 167)
- In the SmartDiag utility the error message "scardsvr.exe file is missing", may appear. 
If you receive this message you should execute the RegTool again after its first use in 
a new installation. (Id 170)
 - After the installation of GemSafe Libraries, we recommend that you restart the 
program twice to allow the Registration Tool to detect the smart card. (Id 260)
- Smart cards personalized with the T=1 protocol are not supported on the 9x and NT4 operating systems. (Id 580)

 Limitations using VPN software 
- Sometimes the pin dialog box is displayed behind another application; use the ALT + TAB key to select this dialog box. 

 "Registration Tool" limitations
- The reader must be connected before launching the RegTool (Id 297)
- With the smart card, if the the user tries to use the "Force user to change his PIN" feature and the user PIN is blocked,
the RegTool displays the Change PIN dialog box, even though the card is blocked. Click on the "Cancel button". 
Use the ToolBox to unblock the PIN.(Id 272)
- If the Regtool is launched and active, erasing a certificate with the Certificate Tool will not be registered 
in the Regtool and the certificate icon is still present. 
In order to refresh the view, extract and re-insert your smart card. (id 432)

 GemPCKey reader limitation
- We recommend that you insert the GemPCKey reader to start your PC 
- We do not recommend you use the GemPCKey reader with Kerberos login when 
another card is already inserted. (Id 363)

 Limitations using Internet Explorer and Netscape
- If you export a certificate from a smart card, and the certificate has an associated key pair, the export process 
will fail using these programmes. Use the export function of the Certificat tool instead. (Id 412)


Behavior:
---------
 Kerberos Login behavior (under Windows 2000 and XP)
Depending on your Windows OS, entering the wrong PIN code during Kerberos Login 
(without the correct certificate on the smart card) could change the behavior of the PIN 
ratification counter. Furthermore, although the PIN code is systematically requested to 
launch a Kerberos login, it is not systematically presented to the smart card. 
WinLogon makes the preliminary verifications on the card, so that if a problem is 
detected, the Kerberos login will fail before the PIN is presented. (Id 110)
Note: When the incorrect PIN has been entered an ad hoc "Wrong PIN code" message 
is displayed.
 If the user PIN on your smart card is not initialized, the error "Your credentials could 
not be read" appears when trying Kerberos login. Use the manual kerberos login 
procedure and change your user pin with the GemSafe ToolBox software. (Id 165)
 The behavior of the CSP (Cryptographic System Provider) is different to GemSafe 
version 3.2.x during a certificate request. The CSP does not display any progress 
information during the request. This information should be provided by the API, 
which calls the CSP. (Id 214)
 Localization
-The words "Admin", "User" and "Identrus" are not localized, i.e. not translated. These are present in the list box 
of the PIN section in the PIN Management tool. 
In order to translate these words, you must modify the section on the policyname.ini file. (Id 505)
 Chip and card serial number
- By default, the PKCS#11 function C_GetTokenInfo returns the Card Serial Number instead of the Chip Serial Number. 
The administrator can configure GemSafe Libraries to return the Chip Serial Number. Please contact Gemplus for support. 
(Id 597)




