Service Pack 3-007 for GemSafe Libraries 4.2-015:

This document describes the limitations of GemSafe Libraries 4.2.0 SP3 and major 
improvements that have been made since the launch of the initial 4.2.i version.
Please read this document carefully for the most recent updates.

Bug fixes or improvements since the launch of GemSafe Libraries 4.2.0 SP2
-----------------------------------------------------
- solved signature file checking when another program was using base csp - (id logon/147)
- Performance improvement (Id 755)
- japanese localization improved (Id 747 710)
- correct probleme using outlook web access (Id 748)
- correct issues of PIN GUI not displayed when call from a wizard (Id 744)
- correct display problem when taskbar is moved up or right (Id 743)
- stability improved (Id 709)
- CKM_SHA1_RSA_PKCS and CKM_MD5_RSA_PKCS mechanism for sign and verification sometimes fails (Id 714)
- when signing with CKM_SHA1_RSA_PKCS function and 2048 bit key pairs, fails for some length (Id 730)
- toolbox does no longuer lock non gemplus cards (Id 647)
- generating key pair when the public key is missing now works
- Now Support card with EF up to 32Kb (Id 601)
- PIN windows management corrected (id 750)
- Improve CSP compatibility with Microsoft TestSuite. (Id 711)
- Correct the path deletion issue during the install (Id 786, Id 777)

Bug fixes or improvements since the launch of GemSafe Libraries 4.2.0 SP1
-----------------------------------------------------
- Stability improved when changing cards (Id 655)
- The PKCS11 and Toolbox no longer hang (Id 687)
- Error message added when changing mode between between standard and identrus mode is not done properly by calling application (Id 693)
- Better management of identrus mapping with netscape and mozilla (Id 630)
- In Windows 98SE, it is now possible to access the www.cacert.org Web site (Id 638)
- The diagnostic tool no longuer reports incorect errors after the installation (Id 643)
- Performance improvement for Windows smart-card logon (Id 678)
- PC/SC context correctly re-allocated (id 689)
- Improvement handle management (Id 655, 670)
- Robustess improvement to support Multi-threaded applications (Id 686)
- Support of automatic certificate registration from Win XP SP2 & Win 2003 SP1 (Id 680)
- Adapt Card Serial Number management to support all GemXpresso Pro3.2 smart-card range (Id 688) 
- Modification to handle the GemSafe smart-card only (Id 626)
- Support of Microsoft AntiSpyware Beta version (Id 627)
- other minor improvement (Id 681, 692)

Bug fix or improvements since the launch of GemSafe Libraries 4.2.0
-----------------------------------------------------
- Robustness improvements (Id 296)
- No more limitations with the PKCS#11 signature mechanisms CKM_MD5_RSA_PKCS and CKM_SHA1_RSA_PKCS (Id 605, 606, 607)
- It is now possible to import a PKCS#12 not protected by a password (Id 612)
- When importing certificates from the IE store with strong protection activated for the private key, the password is only asked once (Id 613)
- Corrected management of the "Cancel" button in PIN windows (Id 615)
- Support of the Vasco Reader for signatures with an Identity key (Id 616)
- The PIN window to sign with the Identity key is always displayed when needed (Id 617)
- The PIN window always appears in the foreground (Id 618)
- When an error appears after a PIN has been verified for a signature with an Identity key, a message appears to inform the user about the error (Id 619)
- When using an Identrus only card, the word "Identrus" does not appear anymore in the PIN request (Id 620)
- Smart card logon is supported in Windows 2000 Server and Citrix (Id 622)
- In the Certificate Tool, for each certificate in which the CKA_LABEL attribute is empty, the tool recalculates it to display the correct name of the certificate to the user (Id 623)
- When there is no reader connected to the computer, all the buttons of the Certificate Tool are disabled (Id 625)
- Performance improvements
- Each session of a token now has its own mode (identrus/std)
- By default, when an incorrect PIN is entered in a PIN window displayed by the Libraries, a message is displayed and the PIN window appears again to the user


Limitations:
------------
Caution: Some non-standard installation path names are not supported and will disable 
the installation procedure.

 launch of pkcs#11/CSP application should be done after first time smart card insertion 
 Generation of user setup does not work under windows 98 or NT as this, you need to have access to the makecab.exe file (only available on windows 2000 and above OS) copying this file on a windows 98 or NT is working
 You can somtimes encounter an error while unlocking the worstation with the smart-card if the workstation has been accessed remotely with Terminal Service. In this case use Login/Password (Id 645).
 Once patched with the SP3 Admin, the GemSafe Libraries 4.2.0 + SP3 are not able to generate User setups that include the SP2; the user setup must be patched with the SP2 once deployed.
 The configuration file (.gsl) is not compliant between the different GemSafe 
Libraries releases (Id 320)
 GemSafe ToolBox does not support low Color Quality settings (i.e., less than 256 
colors) for the display. (Id 134)
 The GemSafe ToolBox requires the use of the mouse (Id 135)
 It is not possible to correctly import a certificate on a GemSafe IS card using a browser; it is recommended that a certificate is generated and then imported on the card using the GemSafe ToolBox (Id 634)
 By default, it is not possible to use GemSafe Libraries and Intercede MyId on the same computer on which the Web server (IIS) is located.
To prevent this, the Web server must run with the Local System rights instead of with the Network System rights.
Warning: this decreases the security of the server.


 In some situations, the function "erase all" does not erase every object on the card, and the amount of card memory space is less than expected. It is likely that proprietary objects may occupy the used memory space. (Id 430)
 The configuration of the remote Unblock PIN window (help desk information and phone number) is done in the HelpDesk.ini, which is found in the root of the default installation directory. 
 The Weak PIN list on the Pin Policy tool is limited to 50 entries with PIN lengths of 16, and 
100 entries with PIN lengths of 8. (Id 603)
 GemSafe Libraries supports a public or private Elementary File with a maximum size of 32768 bytes. (Id 601)

 Installation / Uninstallation limitations 
- Problem of install on Win98 and Chinese OS
- Uninstalling the drivers of the readers is not recommended
- If during installation the CD is removed , the installation process will stop. You 
should therefore contact the Gemplus Hot line (Id 187)
- Installing the Administrator package and an End-user package on the same PC will 
not provide any additional features than those already offered with the installation of 
the Administrator package only. This kind of mixed configuration is not supported by 
GemSafe Libraries.
- After copying and pasting the contents of the EULA licence to a text editor, the 
installation screen window will be empty, but you can continue the installation as 
normal. (Id 124)
- If you have an issue installing GemSafe Libraries on top of a former GemSafe Librarires, please manually remove the old GemSafe Libraries before installing. (Id 446)

 Limitations using Windows 9x, Me & NT4 Operating Systems:
- During installation, the following InstallShield message occurs "Files in Use". Click 
Ignore and continue the installation as normal. (Id 167)
- In the SmartDiag utility the error message "scardsvr.exe file is missing", may appear. 
If you receive this message you should execute the RegTool again after its first use in 
a new installation. (Id 170)
 - After the installation of GemSafe Libraries, we recommend that you restart the 
program twice to allow the Registration Tool to detect the smart card. (Id 260)
- Smart cards personalized with the T=1 protocol are not supported on the 9x and NT4 operating systems. (Id 580)
- After some importation of certificates on the card, the certificates are not always visible on Windows 98 in the GemSafe ToolBox (Id 639)
- After a registration with Mozilla, the "Register All" function may display an error (Id 640)

 Limitations using VPN software 
- Sometimes the PIN dialog box is displayed behind another application; use the ALT + TAB key to select this dialog box. 

 "Registration Tool" limitations
- The reader must be connected before launching the RegTool (Id 297)
- With the smart card, if the the user tries to use the "Force user to change his PIN" feature and the user PIN is blocked, the RegTool displays the Change PIN dialog box, even though the card is blocked. Click on the "Cancel button". 
Use the ToolBox to unblock the PIN.(Id 272)
- If the Regtool is launched and active, erasing a certificate with the Certificate Tool will not be registered in the Regtool and the certificate icon is still present. 
In order to refresh the view, extract and re-insert your smart card. (id 432)
- The first time, after the enrolment is finished, when the card is removed, the RegTool does not delete the certificate because the certificate was stored by Internet Explorer during the enrolment and not by the RegTool. (Id 631)
- Under Windows 98SE, when enrolling a new certificate with Microsoft CSP, export in a .pfx file, import the certificate in the smart card with the Toolbox, remove and re-insert the smart card, the Regtool does not register the certificate in the Internet Explorer certificate store (Id 639)


 GemPCKey reader limitation
- We recommend that you insert the GemPCKey reader to start your PC 
- We do not recommend you use the GemPCKey reader with Kerberos login when 
another card is already inserted. (Id 363)

 Limitations using Internet Explorer and Netscape
- If you export a certificate from a smart card, and the certificate has an associated key pair, the export process will fail using these programs. Use the export function of the Certificate Tool instead. (Id 412)


Behavior:
---------
 Kerberos Login behavior (under Windows 2000 and XP)
Depending on your Windows OS, entering the wrong PIN code during Kerberos Login 
(without the correct certificate on the smart card) could change the behavior of the PIN 
ratification counter. Furthermore, although the PIN code is systematically requested to 
launch a Kerberos login, it is not systematically presented to the smart card. 
WinLogon makes the preliminary verifications on the card, so that if a problem is 
detected, the Kerberos login will fail before the PIN is presented. (Id 110)
Note: When the incorrect PIN has been entered an ad hoc "Wrong PIN code" message 
is displayed.
 If the user PIN on your smart card is not initialized, the error "Your credentials could 
not be read" appears when trying Kerberos login. Use the manual kerberos login 
procedure and change your user pin with the GemSafe ToolBox software. (Id 165)
 The behavior of the CSP (Cryptographic System Provider) is different to GemSafe 
version 3.2.x during a certificate request. The CSP does not display any progress 
information during the request. This information should be provided by the API, 
which calls the CSP. (Id 214)
 Localization
-The words "Admin", "User" and "Identrus" are not localized, i.e. not translated. These are present in the list box of the PIN section in the PIN Management tool. 
In order to translate these words, you must modify the section on the policyname.ini file. (Id 505)
 Chip and card serial number
- By default, the PKCS#11 function C_GetTokenInfo returns the Card Serial Number instead of the Chip Serial Number. 
The administrator can configure GemSafe Libraries to return the Chip Serial Number. Please contact Gemplus for support. 
(Id 597)
 With CITRIX on Windows 2000, the PIN window is displayed. When you get out the card of the reader, the connection closed. When you do a new connection the PIN window is always displayed.
Close it and continue .
 With the MSI installation version, if the Gemsafe libs are installed it is necessary to remove it manually before to install the GemSafe library 4.2 SP3 006.




