         Release Notes for PGP Certificate Server 
              Version 2.5.1 for Windows NT
     Copyright (c) 1990-2000 by Networks Associates 
     Technology, Inc., and its Affiliated Companies. 
                 All Rights Reserved.

     ----------------------------------------------
     -                HOTFIX 4                    -
     ----------------------------------------------


Thank you for using Network Associates' products.
This What's New file contains important information
regarding this HotFix release. Network Associates
strongly recommends that you read this entire
document.

Network Associates welcomes your comments and
suggestions. Please use the information provided in
this file to contact us.

Warning: Export of this software may be restricted
by the U.S. Government.


___________________
WHAT'S IN THIS FILE

- The Purpose of this HotFix
- What this HotFix Does
- Files Included with this HotFix
- Installation
- Issues Resolved in Previous HotFixes
- Contacting Network Associates
- Copyright and Trademark Attributions


__________________________
THE PURPOSE OF THIS HOTFIX

This HotFix corrects a security-related bug with
Additional Decryption Keys (ADKs) that may allow
sophisticated attackers to add unauthorized ADK 
key IDs to the unhashed areas of PGP public keys.

For more information about this bug, please 
review the PGP ADK Security Advisory available
on www.pgp.com.

  Note: HotFix 4 incorporates HotFix 1, 2 and 3
  for pgpcertd. This HotFix (4) does not 
  incorporate the pgprepd HotFix 1. The issues
  resolved in the previous HotFix releases are
  listed below.

_____________________
WHAT THIS HOTFIX DOES

For PGP Certificate Server 2.5.1, this HotFix
includes an updated PGP_SDK.DLL and PGPCERTD.EXE, 
which requires that ADK and other subpackets be 
within the hashed portion of the self-signature 
subpacket.  

Once the HotFix is installed on the PGP Certificate
Server, the server inspects keys as they are added
to the server and removes any signatures containing
the unhashed subpackets described in the 
advisory. 

The HotFix installation process also removes any
signatures containing such subpackets from keys
already residing on the server.


_______________________________
FILES INCLUDED WITH THIS HOTFIX

This HotFix consists of the following files:

        PGP_SDK.DLL = PGP core cryptographic library.

       PGPCERTD.EXE = PGP Certificate Server executable
                       
         HOTFIX.TXT = (This file.)


____________
INSTALLATION

To install this HotFix, follow the steps below.

* INSTALLATION STEPS *

Installing this HotFix is a manual process in which
you replace the existing PGP_SDK.DLL file on your 
machine with the one included in this HotFix.


1.  Close all running applications and stop the PGP 
    Certificate Server and Replication Engine services

2   Replace the old PGP_SDK.DLL on your machine
    with the PGP_SDK.DLL included with this 
    HotFix.
   
    This file can typically be found in the following
    directory:

    C:\winnt\system32

    Replace the old PGPCERTD.EXE on your machine with
    the PGPCERTD.EXE included with this HotFix.

    This file can typically be found in the following
    directory:

    c:\Program Files\Network Associates\PGPcertd\bin

  Note: If you get an error message telling you
  that the file is 'locked' or 'in use', you must 
  set the Windows NT Services for manual startup, and
  restart the system in order to complete this step.
  Be sure to reset the original startup settings
  once this step is completed.

3.  At a Windows command prompt, change to your 
    installation's bin\ directory:

    cd c:\Program Files\Network Associates\PGPcertd\bin

4.  Use PGPexport to export the database:   

    pgpexport ..\data dump.pgp

5.  Delete the data files in the data directory:

     del ..\data\*.*

6.  Recreate the database:

    pgpcertd -n

7.  Re-import the database:

    pgpimport dump.pgp ldap://localhost

8.  Re-disable any keys that were disabled.

9.  To complete the installation of the
    HotFix, restart your computer.



* REMOVING THIS HOTFIX *

To remove this HotFix from your computer, reinstall your
original PGP Certificate Server 2.5.1 software.

NOTE: Network Associates recommends that you do NOT remove
      the HotFix file from your PGP installation
      once you have installed it. If you reinstall your
      PGP Certificate Server 2.5.1 product, Network
      Associates recommends that you also reinstall this
      HotFix.


____________________________________
ISSUES RESOLVED IN PREVIOUS HOTFIXES

*  Resolved a replication looping issue, which may
   have occurred with two-way replication on PGP 
   Certificate Server 2.5.1 when revoked keys revoked
   by a designated revoker were added to the server.

*  Added additional logging information for Delete
   operations, so that the full list of deleted keys
   is displayed in the log.

*  The released version of the Certificate Server,
   when configured with a single MustSigID and the
   TrimUsers and TrimSigs features enabled, would
   prevent that MustSigID key from being uploaded
   to the server. Added the ability for the server to
   accept that key.
 
*  Resolved an issue with the indexing of certain 
   revoked keys. A problem existed when
   performing a KeyStatus-is-revoked search.

*  Resolved a potential looping issue which may have
   occurred if the replication daemon was down and a
   key was added to and then deleted from the 
   server, followed by re-starting the replication
   daemon.

*  Resolved a potential Denial of Service vulnerability
   in PGP Certificate Server 2.5.1. This may have
   occurred when devices attempted to connect
   to the PGP Certificate Server management port
   (port 4000 by default) if incoming DNS/NetBIOS
   traffic was blocked to the PGP Certificate Server.

*  Resolved a potential Denial of Service vulnerability
   in PGP Certificate Server 2.5.1. This may
   have occurred when devices attempted to connect to
   the PGP Replication port (port 5000 by default) if
   incoming DNS/NetBIOS traffic was blocked to the PGP
   Certificate Server.

*  Resolved a replication looping issue which may have
   occurred with two-way replication on PGP Certificate
   Server 2.5.1 when revoked keys were added to the
   server.


_____________________________
CONTACTING NETWORK ASSOCIATES

You may direct all questions, comments, or requests 
concerning the software you purchased, your registration 
status, or similar issues to the Network Associates 
Customer Service department at the addresses or phone 
numbers listed below.

Contact the Network Associates Customer Service department
between 8:00 a.m. and 8:00 p.m. Central Time, Monday 
through Friday, at:

     Network Associates Customer Service
     4099 McEwen Road, Suite 500
     Dallas, Texas 75244

     Contact information for corporate-licensed
     customers:

     Phone:  (972) 308-9960 
     Email:  services_corporate_division@nai.com
     Web:    http://support.nai.com

     Contact information for retail licensed
     customers:

     Phone:  (972) 308-9960
     Email:  cust_care@nai.com
     Web:    http://www.pgp.com


Send correspondence to the following
Network Associates location:

     Network Associates Corporate Headquarters
     3965 Freedom Circle
     McCandless Towers
     Santa Clara, CA 95054

Or, you can receive online assistance through
any of the following resources:

 1.  World Wide Web:  http://support.nai.com

 2.  Telephone technical support

     Corporate-licensed customers: (972) 308-9960

     Contact Network Associates Customer Service for 
     information about technical support 
     subscription plans.

     Retail-licensed customers:    (972) 855-7044


To provide the answers you need quickly and
efficiently, the Network Associates technical
support staff needs some information about your 
computer and your software. Please have this 
information ready when you call:

 - Program name and version number
 - Computer brand and model
 - Any additional hardware or peripherals
   connected to your computer
 - Operating system type and version numbers
 - Network name, operating system, and version
 - Network card installed, where applicable
 - Modem manufacturer, model, and bits-per-
   second rate, where applicable
 - Relevant browsers or applications and their
   version numbers, where applicable
 - How to reproduce your problem: when it
   occurs, whether you can reproduce it
   regularly, and under what conditions
 - Information needed to contact you by voice,
   fax, or email



*FOR PRODUCT UPGRADES*

Network Associates has a worldwide range of
partnerships and reseller relationships with
hundreds of independent vendors, each of which
can provide you with consulting services, sales
advice, and product support for Network
Associates software. To find a reseller near
your location, see the RESELLER.TXT file
located on your product CD-ROM or installed on
your hard disk. For assistance in locating a
local reseller, you can also contact Network
Associates Customer Service at (972) 
308-9960.


*FOR REPORTING PROBLEMS*

Network Associates prides itself on delivering
a high-quality product. If you find any
problems, please take a moment to review the
contents of this file. If the problem you've
encountered appears in the Known Issues section
of this README.TXT file, Network Associates is
already aware of the problem, and you need not
report it.

If you find any feature that does not appear to
function properly on your system, or if you
believe an application would benefit greatly
from enhancement, please contact Network
Associates or one of its resellers with your
suggestions or concerns.


*FOR ON-SITE TRAINING INFORMATION*

Contact Network Associates Customer Service at
(800) 338-8754.


____________________________________
COPYRIGHT AND TRADEMARK ATTRIBUTIONS

Copyright (c) 1999 Networks Associates Technology, Inc.
All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language in any form or by
any means without the written permission of Networks
Associates Technology, Inc., or its suppliers or affiliate
companies.

* TRADEMARKS *

* ActiveHelp, Bomb Shelter, Building a World of Trust,
CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop,
CyberMedia, Data Security Letter, Discover, Distributed
Sniffer System, Dr Solomons, Enterprise Secure Cast,
First Aid, ForceField, Gauntlet, GMT, GroupShield,
HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading
Help Desk Technology, Magic Solutions, MagicSpy, MagicTree,
Magic University, MagicWin, MagicWord, McAfee, McAfee
Associates, MoneyMagic, More Power To You, Multimedia
Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan,
Net Shield, NetShield, NetStalker, Net Tools, Network
Associates, Network General, Network Uptime!, NetXRay,
Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good
Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good
Privacy, PrimeSupport, RecoverKey, RecoverKey-International, 
ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, 
SecureCast, Service Level Manager, ServiceMagic, Site Meter,
Sniffer, SniffMaster, SniffNet, Stalker, Statistical
Information Retrieval (SIR), SupportMagic, Switch PM,
TeleSniffer, TIS, TMach, TMeg, Total Network Security,
Total Network Visibility, Total Service Desk, Total Virus
Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller,
Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield,
WebScan, WebShield, WebSniffer, WebStalker WebWall, and
ZAC 2000 are registered trademarks of Network Associates
and/or its affiliates in the US and/or other countries.
All other registered and unregistered trademarks in this
document are the sole property of their respective owners.

* LICENSE AGREEMENT *

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE
TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES,
CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE
DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT
FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT
AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO
THE PLACE OF PURCHASE FOR A FULL REFUND.