Annotation of certs/www/cadraft.html, revision 1.2

1.1       eric        1: <html>
                      2: <head>
                      3: <title>Untitled Document</title>
                      4: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
                      5: </head>
                      6: 
                      7: <body bgcolor="#FFFFFF" text="#000000">
                      8: <table width="600" border="0" cellspacing="0" cellpadding="0">
                      9:   <tr>
                     10:     <td valign="top"> 
                     11:       <p><font face="Verdana, Arial, Helvetica, sans-serif"><a name="77079"></a><b>Certificate 
                     12:         Authorities and Digital Signatures</b></font></p>
                     13:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Instead of 
                     14:         changing the Universal XPConnect privileges (see "<a href="#77070">Setting 
                     15:         Up XPFE for Remote Applications</a>" earlier in this chapter), you could 
                     16:         create signed remote applications that can be granted access to users' 
                     17:         computers. A signed application means that the application has a digital 
                     18:         signature, which verifies that a file or group of files was created by 
                     19:         the person or organization from which you download and that they are trustworthy. 
                     20:         In essence, if you trust the person or organization signing the files, 
                     21:         then you trust the files themselves.</font></p>
                     22:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Digital signatures 
                     23:         originate from a certificate authority (CA), an organization that claims 
                     24:         responsibility for any digital signature it creates. CAs act as gatekeepers 
                     25:         by allowing only people who the organization trusts to create digital 
                     26:         signatures. Large CAs like Verisign, whose certificates come preinstalled 
                     27:         in many web browsers, enforce validity through large fees. For example, 
                     28:         if you can afford $600, then you are an organization with whom the CA 
                     29:         would be glad to associate. That $600 then also buys your application 
                     30:         respectability with user's web browsers. You can see the CAs that come 
                     31:         with the Mozilla browser by going to Privacy &amp; Security &gt; Certificates 
                     32:         in your preferences panel and then by selecting the Manage Certificates 
                     33:         option. Of the different types of CAs-there's a type for SSL connections, 
                     34:         for example, and another one for S/MIME-the Netscape Object Signing certificate 
                     35:         is what matters for signed applications. </font></p>
                     36:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Fortunately, 
                     37:         to get your remote applications signed by a CA, you don't have to pay 
                     38:         for a Verisign Netscape Object Signing CA because other options are available. 
                     39:         You can use the MozDev CA, for example, and even create your own. The 
                     40:         next section tells you how use Mozilla tools to become your own certificate 
                     41:         authority so you can sign your own applications and those of other Mozilla 
                     42:         developers. The <a href="#77088">"Creating Signed Remote Applications</a>" 
                     43:         section later in this chapter uses the MozDev CA to discuss both avenues. 
                     44:         </font></p>
                     45:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a name="77080"></a> 
                     46:         <b>Mozilla Network Security Services (NSS)</b></font></p>
                     47:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">The Mozilla 
                     48:         Network Security Services tools, which are described in detail at <i><a href="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</a></i>, 
                     49:         allow you to become your own Netscape Object Signing CA. By becoming your 
                     50:         own Netscape Signing CA, you can distribute signing certificates to Mozilla 
                     51:         application developers. You can obtain the tools via a simplified distribution 
                     52:         of NSS for Windows and Linux at <i><a href="http://certs.mozdev.org/">http://certs.mozdev.org</a></i>. 
                     53:         These tools allow you to become a CA and to package signed remote Mozilla 
                     54:         applications. Finally, the commands for CertUtil work the same way on 
                     55:         Windows, Linux, and any other OS on which you run CertUtil.</font></p>
                     56:       <pre><font size="2">C:\NSS\bin\certutil -N -d CA</font></pre>
                     57:       <font size="2"></font> <i>Example 12-9: <a name="77042"></a></i> <i>Creating 
                     58:       a root certificate</i> 
1.2     ! eric       59:       <pre><font size="2">C:\NSS\bin>certutil -d CA -S -s "CN=mozdev.org root CA, O=mozdev.org" -n "mozdev.org" -t ",,C" -v 96 -x -1 -2 -5
        !            60: 
        !            61: A random seed must be generated that will be used in the
        !            62: creation of your key.  One of the easiest ways to create a
        !            63: random seed is to use the timing of keystrokes on a keyboard.
        !            64: 
        !            65: To begin, type keys on the keyboard until this progress meter
        !            66: is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
        !            67: 
        !            68: 
        !            69: Continue typing until the progress meter is full:
        !            70: 
        !            71: |************************************************************|
        !            72: 
        !            73: Finished.  Press enter to continue:
        !            74: 
        !            75: Enter Password or Pin for "NSS Certificate DB":
        !            76: 
        !            77: 
        !            78: Generating key.  This may take a few moments...
        !            79: 
        !            80:                           0 - Digital Signature
        !            81:                           1 - Non-repudiation
        !            82:                           2 - Key encipherment
        !            83:                           3 - Data encipherment
        !            84:                           4 - Key agreement
        !            85:                           5 - Cert signing key
        !            86:                           6 - CRL signing key
        !            87:                           Other to finish
        !            88: 5
        !            89:                           0 - Digital Signature
        !            90:                           1 - Non-repudiation
        !            91:                           2 - Key encipherment
        !            92:                           3 - Data encipherment
        !            93:                           4 - Key agreement
        !            94:                           5 - Cert signing key
        !            95:                           6 - CRL signing key
        !            96:                           Other to finish
        !            97: 9
        !            98: Is this a critical extension [y/n]?
        !            99: y
        !           100: Is this a CA certificate [y/n]?
        !           101: y
        !           102: Enter the path length constraint, enter to skip [<0 for unlimited path]:
        !           103: 3
        !           104: Is this a critical extension [y/n]?
        !           105: y
        !           106:                           0 - SSL Client
        !           107:                           1 - SSL Server
        !           108:                           2 - S/MIME
        !           109:                           3 - Object Signing
        !           110:                           4 - Reserved for futuer use
        !           111:                           5 - SSL CA
        !           112:                           6 - S/MIME CA
        !           113:                           7 - Object Signing CA
        !           114:                           Other to finish
        !           115: 7
        !           116:                           0 - SSL Client
        !           117:                           1 - SSL Server
        !           118:                           2 - S/MIME
        !           119:                           3 - Object Signing
        !           120:                           4 - Reserved for futuer use
        !           121:                           5 - SSL CA
        !           122:                           6 - S/MIME CA
        !           123:                           7 - Object Signing CA
        !           124:                           Other to finish
        !           125: 9
        !           126: Is this a critical extension [y/n]?
        !           127: y</font></pre>
        !           128:       <font size="2">ccxcxcxcx<br>
1.1       eric      129:       </font>
                    130:       <pre><font size="2">C:\NSS\bin\certutil -d CA -L</font></pre>
                    131:       <font size="2"><br>
                    132:       </font>
                    133:       <pre><font size="2">C:\NSS\bin\certutil -L -d CA -n &quot;mozdev.org&quot; -a -o CA/mozdev.cacert</font></pre>
                    134:       <font size="2"><br>
                    135:       </font>
                    136:       <pre><font size="2">C:\NSS\bin\pp -t certificate -a -i  CA/mozdev.cacert</font></pre>
                    137:       <font size="2"><br>
                    138:       </font>
                    139:       <pre><font size="2">C:\NSS\bin\certutil -d JAR -A -n &quot;mozdev.org&quot; -t &quot;,,C&quot; -i CA/mozdev.cacert</font></pre>
                    140:       <font size="2"></font>
                    141: <p>&nbsp;</p>
                    142:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a name="77088"></a><font size="3"><b> 
                    143:         C</b></font></font><b><font face="Verdana, Arial, Helvetica, sans-serif" size="3">reating 
                    144:         Signed Remote Applications</font></b></p>
                    145:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Security 
                    146:         in Mozilla's web browser is designed to meet today's advanced scripting 
                    147:         needs in a secure manner. Mozilla is a much more secure browser than past 
                    148:         Netscape 4.x and Internet Explorer releases because it has a better sense 
                    149:         of what remote scripts can and cannot do.</font></p>
                    150:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Because of 
                    151:         Mozilla's approach toward potentially insecure applications, if you decide 
                    152:         to serve up your own application remotely, remember that you will not 
                    153:         have automatic access to the chrome in the way you do when you have a 
                    154:         registered, locally installed Mozilla application. Unless you sign your 
                    155:         application or have the user turn on a special preference (see <a href="#77070">"Setting 
                    156:         Up XPFE for Remote Applications</a>"), services like XPConnect will not 
                    157:         be available. </font></p>
                    158:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">In Mozilla, 
                    159:         you can bundle any number of files into a JAR archive (which, you'll recall 
                    160:         from <a href="http://books.mozdev.org/chapters/ch06.html#77063">Chapter 
                    161:         6</a>, is just a zip file with a JAR suffix) and designate the archive 
                    162:         as an object that can be signed. This designation makes it very easy to 
                    163:         produce an entire signed and secure remote Mozilla application because 
                    164:         it stores your application in a single file type that Mozilla already 
                    165:         treats as a separate package.</font></p>
                    166:       <h1><font face="Verdana, Arial, Helvetica, sans-serif" size="2">This section 
                    167:         provides an overview of the signed script technology and shows you how 
                    168:         to create signed applications that live on the server but take full advantage 
                    169:         of the user's local chrome, including Mozilla components.</font> </h1>
                    170:       <p>C:\NSS\bin\certutil -N -d JAR</p>
                    171:       <pre>&nbsp;</pre>
                    172:     </td>
                    173:   </tr>
                    174: </table>
                    175: </body>
                    176: </html>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>