Annotation of certs/www/cadraft.html, revision 1.6

1.1       eric        1: <html>
                      2: <head>
1.3       eric        3: <title>cadraft</title>
1.1       eric        4: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
                      5: </head>
                      6: 
                      7: <body bgcolor="#FFFFFF" text="#000000">
                      8: <table width="600" border="0" cellspacing="0" cellpadding="0">
                      9:   <tr>
                     10:     <td valign="top"> 
                     11:       <p><font face="Verdana, Arial, Helvetica, sans-serif"><a name="77079"></a><b>Certificate 
                     12:         Authorities and Digital Signatures</b></font></p>
                     13:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Instead of 
                     14:         changing the Universal XPConnect privileges (see "<a href="#77070">Setting 
                     15:         Up XPFE for Remote Applications</a>" earlier in this chapter), you could 
                     16:         create signed remote applications that can be granted access to users' 
                     17:         computers. A signed application means that the application has a digital 
                     18:         signature, which verifies that a file or group of files was created by 
                     19:         the person or organization from which you download and that they are trustworthy. 
                     20:         In essence, if you trust the person or organization signing the files, 
                     21:         then you trust the files themselves.</font></p>
                     22:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Digital signatures 
                     23:         originate from a certificate authority (CA), an organization that claims 
                     24:         responsibility for any digital signature it creates. CAs act as gatekeepers 
                     25:         by allowing only people who the organization trusts to create digital 
                     26:         signatures. Large CAs like Verisign, whose certificates come preinstalled 
                     27:         in many web browsers, enforce validity through large fees. For example, 
                     28:         if you can afford $600, then you are an organization with whom the CA 
                     29:         would be glad to associate. That $600 then also buys your application 
                     30:         respectability with user's web browsers. You can see the CAs that come 
                     31:         with the Mozilla browser by going to Privacy &amp; Security &gt; Certificates 
                     32:         in your preferences panel and then by selecting the Manage Certificates 
                     33:         option. Of the different types of CAs-there's a type for SSL connections, 
                     34:         for example, and another one for S/MIME-the Netscape Object Signing certificate 
                     35:         is what matters for signed applications. </font></p>
                     36:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Fortunately, 
                     37:         to get your remote applications signed by a CA, you don't have to pay 
                     38:         for a Verisign Netscape Object Signing CA because other options are available. 
                     39:         You can use the MozDev CA, for example, and even create your own. The 
                     40:         next section tells you how use Mozilla tools to become your own certificate 
                     41:         authority so you can sign your own applications and those of other Mozilla 
                     42:         developers. The <a href="#77088">"Creating Signed Remote Applications</a>" 
                     43:         section later in this chapter uses the MozDev CA to discuss both avenues. 
                     44:         </font></p>
                     45:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a name="77080"></a> 
                     46:         <b>Mozilla Network Security Services (NSS)</b></font></p>
                     47:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">The Mozilla 
                     48:         Network Security Services tools, which are described in detail at <i><a href="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</a></i>, 
                     49:         allow you to become your own Netscape Object Signing CA. By becoming your 
                     50:         own Netscape Signing CA, you can distribute signing certificates to Mozilla 
                     51:         application developers. You can obtain the tools via a simplified distribution 
                     52:         of NSS for Windows and Linux at <i><a href="http://certs.mozdev.org/">http://certs.mozdev.org</a></i>. 
                     53:         These tools allow you to become a CA and to package signed remote Mozilla 
                     54:         applications. Finally, the commands for CertUtil work the same way on 
                     55:         Windows, Linux, and any other OS on which you run CertUtil.</font></p>
1.4       eric       56:       <p>&nbsp;</p>
                     57:       <font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada:</font><br>
1.5       eric       58:       <pre>C:\NSS\bin&gt;certutil -N -d CA</pre>
                     59:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada.</font></p>
1.4       eric       60:       <font size="2"></font> <i>Example 12-9: </i> <i>Creating a root certificate</i> 
1.3       eric       61:       <pre>C:\NSS\bin>certutil -d CA -S -s "CN=mozdev.org root CA, O=mozdev.org" -n "mozdev.org" -t ",,C" -v 96 -x -1 -2 -5
1.2       eric       62: 
                     63: A random seed must be generated that will be used in the
                     64: creation of your key.  One of the easiest ways to create a
                     65: random seed is to use the timing of keystrokes on a keyboard.
                     66: 
                     67: To begin, type keys on the keyboard until this progress meter
                     68: is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
                     69: 
                     70: 
                     71: Continue typing until the progress meter is full:
                     72: 
                     73: |************************************************************|
                     74: 
                     75: Finished.  Press enter to continue:
                     76: 
                     77: Enter Password or Pin for "NSS Certificate DB":
                     78: 
                     79: 
                     80: Generating key.  This may take a few moments...
                     81: 
                     82:                           0 - Digital Signature
                     83:                           1 - Non-repudiation
                     84:                           2 - Key encipherment
                     85:                           3 - Data encipherment
                     86:                           4 - Key agreement
                     87:                           5 - Cert signing key
                     88:                           6 - CRL signing key
                     89:                           Other to finish
                     90: 5
                     91:                           0 - Digital Signature
                     92:                           1 - Non-repudiation
                     93:                           2 - Key encipherment
                     94:                           3 - Data encipherment
                     95:                           4 - Key agreement
                     96:                           5 - Cert signing key
                     97:                           6 - CRL signing key
                     98:                           Other to finish
                     99: 9
                    100: Is this a critical extension [y/n]?
                    101: y
                    102: Is this a CA certificate [y/n]?
                    103: y
                    104: Enter the path length constraint, enter to skip [<0 for unlimited path]:
                    105: 3
                    106: Is this a critical extension [y/n]?
                    107: y
                    108:                           0 - SSL Client
                    109:                           1 - SSL Server
                    110:                           2 - S/MIME
                    111:                           3 - Object Signing
                    112:                           4 - Reserved for futuer use
                    113:                           5 - SSL CA
                    114:                           6 - S/MIME CA
                    115:                           7 - Object Signing CA
                    116:                           Other to finish
                    117: 7
                    118:                           0 - SSL Client
                    119:                           1 - SSL Server
                    120:                           2 - S/MIME
                    121:                           3 - Object Signing
                    122:                           4 - Reserved for futuer use
                    123:                           5 - SSL CA
                    124:                           6 - S/MIME CA
                    125:                           7 - Object Signing CA
                    126:                           Other to finish
                    127: 9
                    128: Is this a critical extension [y/n]?
1.3       eric      129: y</pre>
1.4       eric      130:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Yada</font></p>
                    131:       <pre>C:\NSS\bin&gt;certutil -d CA -L
                    132: mozdev.org                                                   u,u,Cu</pre>
                    133:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada</font><font size="2">:<br>
                    134:         </font> </p>
                    135:       <pre>C:\NSS\bin&gt;certutil -L -d CA -n &quot;mozdev.org&quot; -a -o CA/mozdev.cacert</pre>
                    136:       <font size="2" face="Verdana, Arial, Helvetica, sans-serif">Yada</font><font size="2"></font><font size="2"><br>
                    137:       </font> 
                    138:       <pre>C:\NSS\bin&gt;pp -t certificate -a -i  CA/mozdev.cacert
                    139: Certificate:
                    140:     Data:
                    141:         Version: 3 (0x2)
                    142:         Serial Number: 1545620512 (0x5c204c20)
                    143:         Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                    144:         Issuer: CN=mozdev.org root CA, O=mozdev.org
                    145:         Validity:
                    146:             Not Before: Tue Oct 15 00:53:31 2002
                    147:             Not After: Sat Jan 15 00:53:31 2011
                    148:         Subject: CN=mozdev.org root CA, O=mozdev.org
                    149:         Subject Public Key Info:
                    150:             Public Key Algorithm: PKCS #1 RSA Encryption
                    151:             RSA Public Key:
                    152:                 Modulus:
                    153:                     00:d1:d8:77:66:79:96:e9:30:e6:89:15:7b:d0:bd:
                    154:                     c7:97:5e:ba:52:68:f1:cc:7d:38:b6:f3:49:a3:35:
                    155:                     a8:8b:25:e8:74:db:0b:1e:a8:98:9d:8c:d3:ec:c3:
                    156:                     54:19:db:e9:f3:4a:c3:f4:e2:76:54:3d:bd:4d:ae:
                    157:                     9b:54:f1:02:21:82:8f:54:40:69:f8:16:46:59:12:
                    158:                     2e:e7:2f:19:09:8c:e7:19:4a:e3:10:6e:9c:94:07:
                    159:                     70:9f:d6:26:2b:ae:c8:81:ff:d7:94:d4:10:63:10:
                    160:                     de:f5:89:4f:6c:43:50:ad:85:22:82:af:22:f9:20:
                    161:                     1c:4b:66:81:bb:ed:45:3e:07
                    162:                 Exponent: 65537 (0x10001)
                    163:         Signed Extensions:
                    164:             Name:
                    165:                 Certificate Type
                    166:             Critical:
                    167:                 True
                    168:             Data: <ObjectSigning CA>
                    169: 
                    170:             Name:
                    171:                 Certificate Basic Constraints
                    172:             Critical:
                    173:                 True
                    174:             Data: Is a CA with a maximum path length of 3.
                    175: 
                    176:             Name:
                    177:                 Certificate Key Usage
                    178:             Critical:
                    179:                 True
                    180:             Data:
                    181:                 03:02:02:04
                    182: 
                    183:     Fingerprint (MD5):
                    184:         D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
                    185:     Fingerprint (SHA1):
                    186:         DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
                    187: 
                    188:     Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                    189:     Signature:
                    190:         7b:7b:76:34:b5:4b:7f:f2:81:81:49:76:4f:43:a4:3f:1e:ef:
                    191:         72:5d:64:7e:5f:74:7a:68:dc:26:e3:c3:fc:60:3e:dd:62:0f:
                    192:         9a:c1:74:8f:0f:19:52:00:70:f3:2b:e5:7a:50:23:7f:1a:16:
                    193:         69:bb:31:a8:14:c2:c0:12:6f:a8:26:dc:87:66:c3:71:d0:e5:
                    194:         3f:d8:f4:b8:57:51:2c:ba:b2:51:50:29:4a:94:8f:ae:22:99:
                    195:         6e:8e:ad:97:bf:99:a8:1e:3c:4b:18:78:5e:c3:c5:0b:3a:08:
                    196:         35:81:58:8d:b7:fd:cb:af:8f:e7:b0:89:b1:77:9f:97:d1:4a:
                    197:         03:46
                    198: </pre>
                    199:       <font size="2" face="Verdana, Arial, Helvetica, sans-serif">Yada</font><font size="2"></font><font size="2">:<br>
                    200:       </font> 
                    201:       <pre>C:\NSS\bin&gt;certutil -d JAR -A -n &quot;mozdev.org&quot; -t &quot;,,C&quot; -i CA/mozdev.cacert
                    202: Enter Password or Pin for "NSS Certificate DB":</pre>
                    203:       <font size="2"></font> 
                    204:       <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Yada:</font></p>
                    205:       <pre>C:\NSS\bin>certutil -L -d JAR
                    206: mozdev.org                                                   ,,C</pre>
                    207:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada</font></p>
                    208:       <pre>C:\NSS\bin>certutil -d JAR -R -o JAR/req.txt -a -s "CN=nelsons object signing cert, O=mozdev.org" -v 95
                    209: 
                    210: A random seed must be generated that will be used in the
                    211: creation of your key.  One of the easiest ways to create a
                    212: random seed is to use the timing of keystrokes on a keyboard.
                    213: 
                    214: To begin, type keys on the keyboard until this progress meter
                    215: is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
                    216: 
                    217: 
                    218: Continue typing until the progress meter is full:
                    219: 
                    220: |************************************************************|
                    221: 
                    222: Finished.  Press enter to continue:
                    223: 
                    224: Enter Password or Pin for "NSS Certificate DB":
                    225: 
                    226: 
                    227: Generating key.  This may take a few moments...</pre>
                    228:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada</font></p>
                    229:       <pre>C:\NSS\bin>certutil -d CA -C -c "mozdev.org"
                    230:  -i JAR/req.txt -a -o JAR/cert.txt -1 -2 -5
                    231:                           0 - Digital Signature
                    232:                           1 - Non-repudiation
                    233:                           2 - Key encipherment
                    234:                           3 - Data encipherment
                    235:                           4 - Key agreement
                    236:                           5 - Cert signing key
                    237:                           6 - CRL signing key
                    238:                           Other to finish
                    239: 0
                    240:                           0 - Digital Signature
                    241:                           1 - Non-repudiation
                    242:                           2 - Key encipherment
                    243:                           3 - Data encipherment
                    244:                           4 - Key agreement
                    245:                           5 - Cert signing key
                    246:                           6 - CRL signing key
                    247:                           Other to finish
                    248: 9
                    249: Is this a critical extension [y/n]?
                    250: y
                    251: Is this a CA certificate [y/n]?
                    252: n
                    253: Enter the path length constraint, enter to skip [<0 for unlimited path]:
                    254: -1
                    255: Is this a critical extension [y/n]?
                    256: y
                    257:                           0 - SSL Client
                    258:                           1 - SSL Server
                    259:                           2 - S/MIME
                    260:                           3 - Object Signing
                    261:                           4 - Reserved for futuer use
                    262:                           5 - SSL CA
                    263:                           6 - S/MIME CA
                    264:                           7 - Object Signing CA
                    265:                           Other to finish
                    266: 3
                    267:                           0 - SSL Client
                    268:                           1 - SSL Server
                    269:                           2 - S/MIME
                    270:                           3 - Object Signing
                    271:                           4 - Reserved for futuer use
                    272:                           5 - SSL CA
                    273:                           6 - S/MIME CA
                    274:                           7 - Object Signing CA
                    275:                           Other to finish
                    276: 9
                    277: Is this a critical extension [y/n]?
                    278: y
                    279: Enter Password or Pin for "NSS Certificate DB":</pre>
                    280:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada</font></p>
                    281:       <pre>C:\NSS\bin>pp -t certificate -a -i JAR/cert.txt
                    282: Certificate:
                    283:     Data:
                    284:         Version: 3 (0x2)
                    285:         Serial Number: 1272441488 (0x4bd7ea90)
                    286:         Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                    287:         Issuer: CN=mozdev.org root CA, O=mozdev.org
                    288:         Validity:
                    289:             Not Before: Tue Oct 15 01:40:09 2002
                    290:             Not After: Wed Jan 15 01:40:09 2003
                    291:         Subject: CN=nelsons object signing cert, O=mozdev.org
                    292:         Subject Public Key Info:
                    293:             Public Key Algorithm: PKCS #1 RSA Encryption
                    294:             RSA Public Key:
                    295:                 Modulus:
                    296:                     00:b2:98:55:fb:2a:08:60:06:8c:af:68:bf:c8:a2:
                    297:                     d7:7e:80:f3:11:fe:6d:3c:9c:50:20:d2:ad:84:7d:
                    298:                     c7:3e:ed:77:08:db:f6:82:ea:bf:98:7a:a1:00:24:
                    299:                     21:f9:3d:00:1e:5f:2d:52:31:d7:92:4b:1b:b3:c4:
                    300:                     a4:b6:65:34:64:82:ee:c1:f7:56:bc:1f:0c:fd:57:
                    301:                     0f:c8:a7:d7:63:47:7e:9e:e8:8b:9d:7f:f0:c1:79:
                    302:                     cf:d1:27:99:7c:23:16:7e:ed:fc:61:30:52:8f:b7:
                    303:                     07:49:4c:b3:ef:df:ce:d9:19:7f:7a:f1:3b:f9:82:
                    304:                     4c:e9:6c:be:47:27:c0:57:d1
                    305:                 Exponent: 65537 (0x10001)
                    306:         Signed Extensions:
                    307:             Name:
                    308:                 Certificate Type
                    309:             Critical:
                    310:                 True
                    311:             Data: &lt;Object Signing&gt;
                    312: 
                    313:             Name:
                    314:                 Certificate Basic Constraints
                    315:             Critical:
                    316:                 True
                    317:             Data: Is not a CA.
                    318: 
                    319:             Name:
                    320:                 Certificate Key Usage
                    321:             Critical:
                    322:                 True
                    323:             Data:
                    324:                 03:02:07:80
                    325: 
                    326:     Fingerprint (MD5):
                    327:         D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
                    328:     Fingerprint (SHA1):
                    329:         DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
                    330: 
                    331:     Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                    332:     Signature:
                    333:         0d:fb:97:05:5b:de:71:83:8e:6d:6e:31:ac:82:44:3f:99:24:
                    334:         95:5e:03:dc:a4:9c:28:76:d6:64:37:2a:77:7e:6c:a4:25:62:
                    335:         41:79:53:50:c4:3a:96:c3:9e:0e:c8:62:6d:3a:fe:9f:69:ee:
                    336:         d6:8e:7d:a8:a8:e8:e6:14:95:af:57:1c:ef:22:c6:17:19:1e:
                    337:         2f:6a:ca:c8:d9:71:d2:9a:fb:ca:fd:d4:d1:5c:c0:f1:59:04:
                    338:         a7:f2:49:4a:0a:83:eb:ea:8a:c4:67:3a:ac:ce:8d:31:17:d3:
                    339:         61:eb:a5:03:33:5f:bf:82:7c:e6:a5:f1:61:b4:2e:fc:b8:09:
                    340:         e4:8d</pre>
                    341:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada</font></p>
                    342:       <pre><font size="2">C:\NSS\bin>certutil -d JAR -A -n "object signer" -i JAR/cert.txt -a -t "u,u,u"
                    343: Enter Password or Pin for "NSS Certificate DB":</font></pre>
                    344:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada</font></p>
                    345:       <pre>C:\NSS\bin>certutil -L -d JAR -n "object signer"
                    346: Certificate:
                    347:     Data:
                    348:         Version: 3 (0x2)
                    349:         Serial Number: 1272441488 (0x4bd7ea90)
                    350:         Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                    351:         Issuer: CN=mozdev.org root CA, O=mozdev.org
                    352:         Validity:
                    353:             Not Before: Tue Oct 15 01:40:09 2002
                    354:             Not After: Wed Jan 15 01:40:09 2003
                    355:         Subject: CN=nelsons object signing cert, O=mozdev.org
                    356:         Subject Public Key Info:
                    357:             Public Key Algorithm: PKCS #1 RSA Encryption
                    358:             RSA Public Key:
                    359:                 Modulus:
                    360:                     00:b2:98:55:fb:2a:08:60:06:8c:af:68:bf:c8:a2:
                    361:                     d7:7e:80:f3:11:fe:6d:3c:9c:50:20:d2:ad:84:7d:
                    362:                     c7:3e:ed:77:08:db:f6:82:ea:bf:98:7a:a1:00:24:
                    363:                     21:f9:3d:00:1e:5f:2d:52:31:d7:92:4b:1b:b3:c4:
                    364:                     a4:b6:65:34:64:82:ee:c1:f7:56:bc:1f:0c:fd:57:
                    365:                     0f:c8:a7:d7:63:47:7e:9e:e8:8b:9d:7f:f0:c1:79:
                    366:                     cf:d1:27:99:7c:23:16:7e:ed:fc:61:30:52:8f:b7:
                    367:                     07:49:4c:b3:ef:df:ce:d9:19:7f:7a:f1:3b:f9:82:
                    368:                     4c:e9:6c:be:47:27:c0:57:d1
                    369:                 Exponent: 65537 (0x10001)
                    370:         Signed Extensions:
                    371:             Name:
                    372:                 Certificate Type
                    373:             Critical:
                    374:                 True
                    375:             Data: &lt;Object Signing&gt;
                    376: 
                    377:             Name:
                    378:                 Certificate Basic Constraints
                    379:             Critical:
                    380:                 True
                    381:             Data: Is not a CA.
                    382: 
                    383:             Name:
                    384:                 Certificate Key Usage
                    385:             Critical:
                    386:                 True
                    387:             Data:
                    388:                 03:02:07:80
                    389: 
                    390:     Fingerprint (MD5):
                    391:         D4:1D:8C:D9:8F:00:B2:04:E9:80:09:98:EC:F8:42:7E
                    392:     Fingerprint (SHA1):
                    393:         DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
                    394: 
                    395:     Signature Algorithm: PKCS #1 MD5 With RSA Encryption
                    396:     Signature:
                    397:         0d:fb:97:05:5b:de:71:83:8e:6d:6e:31:ac:82:44:3f:99:24:
                    398:         95:5e:03:dc:a4:9c:28:76:d6:64:37:2a:77:7e:6c:a4:25:62:
                    399:         41:79:53:50:c4:3a:96:c3:9e:0e:c8:62:6d:3a:fe:9f:69:ee:
                    400:         d6:8e:7d:a8:a8:e8:e6:14:95:af:57:1c:ef:22:c6:17:19:1e:
                    401:         2f:6a:ca:c8:d9:71:d2:9a:fb:ca:fd:d4:d1:5c:c0:f1:59:04:
                    402:         a7:f2:49:4a:0a:83:eb:ea:8a:c4:67:3a:ac:ce:8d:31:17:d3:
                    403:         61:eb:a5:03:33:5f:bf:82:7c:e6:a5:f1:61:b4:2e:fc:b8:09:
                    404:         e4:8d
                    405:     Certificate Trust Flags:
                    406:         SSL Flags:
                    407:             User
                    408:         Email Flags:
                    409:             User
                    410:         Object Signing Flags:
                    411:             User</pre>
                    412:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Yada:</font></p>
1.5       eric      413:       <pre>C:\NSS\bin&gt;signtool -d JAR -k&quot;object signer&quot; -p&quot;password_of_database&quot; -Z&quot;myapp.jar&quot; myappfiles/</pre>
1.1       eric      414:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a name="77088"></a><font size="3"><b> 
                    415:         C</b></font></font><b><font face="Verdana, Arial, Helvetica, sans-serif" size="3">reating 
                    416:         Signed Remote Applications</font></b></p>
                    417:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Security 
                    418:         in Mozilla's web browser is designed to meet today's advanced scripting 
                    419:         needs in a secure manner. Mozilla is a much more secure browser than past 
                    420:         Netscape 4.x and Internet Explorer releases because it has a better sense 
                    421:         of what remote scripts can and cannot do.</font></p>
                    422:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Because of 
                    423:         Mozilla's approach toward potentially insecure applications, if you decide 
                    424:         to serve up your own application remotely, remember that you will not 
                    425:         have automatic access to the chrome in the way you do when you have a 
                    426:         registered, locally installed Mozilla application. Unless you sign your 
                    427:         application or have the user turn on a special preference (see <a href="#77070">"Setting 
                    428:         Up XPFE for Remote Applications</a>"), services like XPConnect will not 
                    429:         be available. </font></p>
                    430:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">In Mozilla, 
                    431:         you can bundle any number of files into a JAR archive (which, you'll recall 
                    432:         from <a href="http://books.mozdev.org/chapters/ch06.html#77063">Chapter 
                    433:         6</a>, is just a zip file with a JAR suffix) and designate the archive 
                    434:         as an object that can be signed. This designation makes it very easy to 
                    435:         produce an entire signed and secure remote Mozilla application because 
                    436:         it stores your application in a single file type that Mozilla already 
                    437:         treats as a separate package.</font></p>
1.4       eric      438:       <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">This section 
1.1       eric      439:         provides an overview of the signed script technology and shows you how 
                    440:         to create signed applications that live on the server but take full advantage 
1.4       eric      441:         of the user's local chrome, including Mozilla components.</font> </p>
1.6     ! eric      442:       <pre>
        !           443: 
        !           444: 
        !           445: 
        !           446: Since you're telling readers how to be a CA, there are lots of important<br>things about being a reasonably good CA that should be explained.  Here <br>are a few:</pre>
        !           447:       <p>1. A good CA will NEVER issue two certs with the same serial number and<br>
        !           448:         issuer name. Put another way, a good CA will NEVER issue a cert with a 
        !           449:         <br>
        !           450:         serial number that has been previously put into another of that CA's <br>
        !           451:         certs. </p>
        !           452:       <p>To do that properly, the CA really should control the serial numbers 
        !           453:         in<br>
        !           454:         the certs, rather than letting certutil generate the serial number <br>
        !           455:         automatically. That is done with the -m option. E.g. to make a cert be<br>
        !           456:         serial number 1,000,001, you'd add &quot;-m 1000001&quot; (without the 
        !           457:         quotes) to <br>
        !           458:         the certutil -S or certutil -C command line.</p>
        !           459:       <p>Most people who want to be a CA decide at some point to start over and 
        !           460:         <br>
        !           461:         reissue all certs, starting with their root CA cert, and they start<br>
        !           462:         their serial numbers over too. Most of them make the root CA be <br>
        !           463:         serial number zero or 1, and when they remake the cert, that use that<br>
        !           464:         same serial number over again. That is a BIG mistake. </p>
        !           465:       <p>Another common mistake is this. A person reformats his hard drive, or 
        !           466:       </p>
        !           467:       <p>buys a new drive when the old one crashed. So he starts his CA over<br>
        !           468:         from scratch and starts with serial number 1 or 0 again. </p>
        !           469:       <p>I suggest starting your serial numbers with, say 10,000 at first, and 
        !           470:         <br>
        !           471:         then, if you ever need to start over for some reason, start with 20,000<br>
        !           472:         the second time, 30,000 the third time, and so on. Keep written records 
        !           473:         <br>
        !           474:         of the serial numbers, or use a script of some kind that records the <br>
        !           475:         numbers in a file. </p>
        !           476:       <p>2. A good CA will not issue a cert with the same subject name as the 
        !           477:         subject<br>
        !           478:         name in an existing one of his CA certs. The CN= value should be different 
        !           479:         <br>
        !           480:         in each one. The only exception is when reissuing a CA cert because the 
        !           481:         old <br>
        !           482:         one expired. Then the new cert can have the same name as the old one, 
        !           483:         <br>
        !           484:         provided that the two certs' validity periods do not overlap, or that 
        !           485:         the<br>
        !           486:         two certs' public keys are the the same.</p>
        !           487:       <p>3. A good CA will attempt to ensure that the person to whom the cert 
        !           488:         is <br>
        !           489:         being issued is the person named in the cert itself. This is really the<br>
        !           490:         chief value of a CA. Without the assurance that the CA has verified the 
        !           491:         <br>
        !           492:         cert owner's identity, the user who downloads some signed code doesn't<br>
        !           493:         really know who it came from. </p>
        !           494:       <p>When a user downloads your root CA cert and trusts it, he's really <br>
        !           495:         trusting you equally with Verisign, Thawte, and the other commercial CAs.<br>
        !           496:         He's trusting that you will never issue, say, a cert that claims to <br>
        !           497:         have come from Netscape or Microsoft but didn't really. A CA that issues<br>
        !           498:         dishonest certs is a &quot;rogue CA&quot;. A user who trusts even one 
        !           499:         rogue CA <br>
        !           500:         has lost most of the security that he would otherwise get from encryption,<br>
        !           501:         because he never knows if he's really communicating with (and downloading<br>
        !           502:         a program from) the party named in the cert, or some attacker who is <br>
        !           503:         masquerading as the named party with help from the rogue CA. </p>
        !           504:       <p>This is why it is VERY bad practice to download and trust CA certs from 
        !           505:         <br>
        !           506:         relatively unknown CAs, whose trustworthyness is also relatively unknown.</p>
        !           507:       <p>The security of https, SSL, Secure MIME email, etc. is based on trust 
        !           508:         in<br>
        !           509:         a relatively small number of CAs. If end users widely begin to practice<br>
        !           510:         downloading and trusting CA certs from unknown entities, just so they 
        !           511:         can <br>
        !           512:         run some new java or javascript application, then rogue CAs will flourish<br>
        !           513:         and people's trust in https, SSL, Secure email, etc. will diminish, <br>
        !           514:         killing e-commerce. </p>
        !           515:       <p>So, you see, being a CA is about a lot more than collecting a few hundred<br>
        !           516:         bucks for a cert. It's about developing and keeping the public's trust.<br>
        !           517:         It's about doing the work to verify the identity of the people to whom 
        !           518:         <br>
        !           519:         you issue certs, and never issuing rogue certs. </p>
        !           520:       <p>4. A good CA will put (or require) something in the subject name of each 
        !           521:         <br>
        !           522:         cert he issues that identifies the cert as coming from his CA, so that 
        !           523:         it<br>
        !           524:         cannot be easily mistaken for a cert from another CA. Likewise, a good<br>
        !           525:         CA will not issue certs that look like they could have come from another<br>
        !           526:         CA. </p>
        !           527:       <p>In your case, simply making sure that each cert's subject name contains<br>
        !           528:         O=mozdev.org is enough, I think.</p>
        !           529:       <p>5. As I mentioned in an earlier email (I think), a good CA doesn't issue<br>
        !           530:         certs that expire later than the expiration date of the CA's own cert. 
        !           531:         <br>
        !           532:         So, if the CA's own cert was made with -v 96, then for the first month,<br>
        !           533:         any certs issued by that CA should be made with -v 95, and in the <br>
        !           534:         second month any certs should be issued with -v 94, and so on.</p>
        !           535:       <p>6. A cert must be valid on the date that it is used to create a signature.<br>
        !           536:         However, with Netscape/Mozilla programs, the signature does not become<br>
        !           537:         invalid when the signer's cert expires. When verifying a signature, the<br>
        !           538:         question is &quot;was the signer's cert (and the signer's issuer's cert) 
        !           539:         valid<br>
        !           540:         when the signature was created?&quot;, not &quot;are those certs valid 
        !           541:         now?&quot;. </p>
        !           542:       <p>7. A good CA has a way of revoking certs when needed. A good CA maintains<br>
        !           543:         a document called a &quot;Certificate Revocation List&quot; or CRL, that 
        !           544:         lists the<br>
        !           545:         serial numbers of the certs he has revoked. A good CA makes that CRL <br>
        !           546:         available for download from his web site or another CRL server specifically<br>
        !           547:         designated. A good CA puts extensions in all his certificates that tell<br>
        !           548:         any user where/how to get the latest CRL from that CA. However, this is 
        !           549:         <br>
        !           550:         presently beyond the capability of the certutil program.</p>
1.1       eric      551:     </td>
                    552:   </tr>
                    553: </table>
                    554: </body>
                    555: </html>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>