Groups | Search | Server Info | Keyboard shortcuts | Login | Register
Groups > comp.lang.java.security > #236
| From | Roedy Green <see_website@mindprod.com.invalid> |
|---|---|
| Newsgroups | comp.lang.java.security |
| Subject | REAL code-signing certificates FREE. |
| Date | 2011-11-20 12:33 -0800 |
| Organization | Canadian Mind Products |
| Message-ID | <8tmic7tgjpqf4e9gu24jdtm6pk0updvp1q@4ax.com> (permalink) |
I had an idea of how code-signing certificates could be free, but would still offer almost as much security as the $300 a year ones from Thawte do now. There would be no more excuse ever to use phony certs. The cost of the certificate is the manual labour verifying that the person applying for the cert is indeed who he says he is. This is quite a production. My idea is to issue certs in the name of a WEBSITE, not a person. Here is how it works. It is fully automated on the server side. That is why it can be offered free. The programmer types: rem generate private/public key pair for code-signing cert keytool -genkey -keyalg RSA -alias pluginsigner -dname "CN=mindprod.com, OU=Secure Application Development, O=Canadian Mind Products, L=Victoria, S=BC, C=CA" REM export cert request keytool -certreq -alias pluginsigner -file certrequest.csr The programmer then uploads certrquest.csr to the root directory of the website. The very fact he can do this is fairly strong proof he also has authorisation to sign code. Then programmer visits the Consolidated Moose Pasture site, the CA for this kind of cert. He fills in a form giving his email address and the name of the website. The CMP server then downloads the request and queues it for overnight processing. Once a day a operator burns a CD of the requests and sneaker nets them to an old machine with no LAN or Internet connection. It signs all the requests with the CMP private key. These are sneakernetted back to the server which sends the signed certs via email to the applicants. If a request comes in for a cert already issued, we just send a copy of the previously created cert. There is nothing secret about the traffic going back and forth. It could happen that a programmer could fail to back up his private key. CMP does not have it, and has never seen it, so they cannot help. All they could do is revoke the first cert and issue a new one. There should be a $40 fee for revoking a cert, and CMP will not issue more than one cert per website. How would someone abuse this system? They could create dozens of code signing certs by renting domains, getting the cert, then canceling the domain. They might diddle DNS records to point to websites other than what they purport. A disgruntled employee could get a code signing cert, then "burn" it, just to screw the company when it went to get the official one. These certs are worthless unless Oracle includes the root cert in the Java distribution. Oracle would not want to do that because: 1. it would upset Verisign/Thawte who sell expensive certs. 2. It is not as secure as what Thawte does. They would want to do because then ALL code would be signed, even apps. There would be no excuse for not signing. Perhaps the Oracle code that checks signatures could use different wording it its warning message based on the reputability of the CA. There would be at least 3 levels. 1. self signed 2. CMP style 3. Verisign/Thawte style -- Roedy Green Canadian Mind Products http://mindprod.com I can't come to bed just yet. Somebody is wrong on the Internet.
Back to comp.lang.java.security | Previous | Next | Find similar
REAL code-signing certificates FREE. Roedy Green <see_website@mindprod.com.invalid> - 2011-11-20 12:33 -0800
csiph-web