File:  [mozdev] / certs / www / cadraft.html
Revision 1.3: download - view: text, annotated - select for diffs - revision graph
Tue Oct 15 00:58:41 2002 UTC (17 years, 1 month ago) by eric
Branches: MAIN
CVS tags: HEAD
no message

<html>
<head>
<title>cadraft</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<table width="600" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td valign="top"> 
      <p><font face="Verdana, Arial, Helvetica, sans-serif"><a name="77079"></a><b>Certificate 
        Authorities and Digital Signatures</b></font></p>
      <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Instead of 
        changing the Universal XPConnect privileges (see "<a href="#77070">Setting 
        Up XPFE for Remote Applications</a>" earlier in this chapter), you could 
        create signed remote applications that can be granted access to users' 
        computers. A signed application means that the application has a digital 
        signature, which verifies that a file or group of files was created by 
        the person or organization from which you download and that they are trustworthy. 
        In essence, if you trust the person or organization signing the files, 
        then you trust the files themselves.</font></p>
      <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Digital signatures 
        originate from a certificate authority (CA), an organization that claims 
        responsibility for any digital signature it creates. CAs act as gatekeepers 
        by allowing only people who the organization trusts to create digital 
        signatures. Large CAs like Verisign, whose certificates come preinstalled 
        in many web browsers, enforce validity through large fees. For example, 
        if you can afford $600, then you are an organization with whom the CA 
        would be glad to associate. That $600 then also buys your application 
        respectability with user's web browsers. You can see the CAs that come 
        with the Mozilla browser by going to Privacy &amp; Security &gt; Certificates 
        in your preferences panel and then by selecting the Manage Certificates 
        option. Of the different types of CAs-there's a type for SSL connections, 
        for example, and another one for S/MIME-the Netscape Object Signing certificate 
        is what matters for signed applications. </font></p>
      <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Fortunately, 
        to get your remote applications signed by a CA, you don't have to pay 
        for a Verisign Netscape Object Signing CA because other options are available. 
        You can use the MozDev CA, for example, and even create your own. The 
        next section tells you how use Mozilla tools to become your own certificate 
        authority so you can sign your own applications and those of other Mozilla 
        developers. The <a href="#77088">"Creating Signed Remote Applications</a>" 
        section later in this chapter uses the MozDev CA to discuss both avenues. 
        </font></p>
      <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><a name="77080"></a> 
        <b>Mozilla Network Security Services (NSS)</b></font></p>
      <p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">The Mozilla 
        Network Security Services tools, which are described in detail at <i><a href="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</a></i>, 
        allow you to become your own Netscape Object Signing CA. By becoming your 
        own Netscape Signing CA, you can distribute signing certificates to Mozilla 
        application developers. You can obtain the tools via a simplified distribution 
        of NSS for Windows and Linux at <i><a href="http://certs.mozdev.org/">http://certs.mozdev.org</a></i>. 
        These tools allow you to become a CA and to package signed remote Mozilla 
        applications. Finally, the commands for CertUtil work the same way on 
        Windows, Linux, and any other OS on which you run CertUtil.</font></p>
      <pre><font size="2">C:\NSS\bin\certutil -N -d CA</font></pre>
      <font size="2"></font> <i>Example 12-9: <a name="77042"></a></i> <i>Creating 
      a root certificate</i> 
      <pre>C:\NSS\bin>certutil -d CA -S -s "CN=mozdev.org root CA, O=mozdev.org" -n "mozdev.org" -t ",,C" -v 96 -x -1 -2 -5

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:

Enter Password or Pin for "NSS Certificate DB":


Generating key.  This may take a few moments...

                          0 - Digital Signature
                          1 - Non-repudiation
                          2 - Key encipherment
                          3 - Data encipherment
                          4 - Key agreement
                          5 - Cert signing key
                          6 - CRL signing key
                          Other to finish
5
                          0 - Digital Signature
                          1 - Non-repudiation
                          2 - Key encipherment
                          3 - Data encipherment
                          4 - Key agreement
                          5 - Cert signing key
                          6 - CRL signing key
                          Other to finish
9
Is this a critical extension [y/n]?
y
Is this a CA certificate [y/n]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:
3
Is this a critical extension [y/n]?
y
                          0 - SSL Client
                          1 - SSL Server
                          2 - S/MIME
                          3 - Object Signing
                          4 - Reserved for futuer use
                          5 - SSL CA
                          6 - S/MIME CA
                          7 - Object Signing CA
                          Other to finish
7
                          0 - SSL Client
                          1 - SSL Server
                          2 - S/MIME
                          3 - Object Signing
                          4 - Reserved for futuer use
                          5 - SSL CA
                          6 - S/MIME CA
                          7 - Object Signing CA
                          Other to finish
9
Is this a critical extension [y/n]?
y</pre>
      <font size="2" face="Verdana, Arial, Helvetica, sans-serif">ccxcxcxcx</font><font size="2"><br>
      </font>
      <pre><font size="2">C:\NSS\bin\certutil -d CA -L</font></pre>
      <font size="2"><br>
      </font>
      <pre><font size="2">C:\NSS\bin\certutil -L -d CA -n &quot;mozdev.org&quot; -a -o CA/mozdev.cacert</font></pre>
      <font size="2"><br>
      </font>
      <pre><font size="2">C:\NSS\bin\pp -t certificate -a -i  CA/mozdev.cacert</font></pre>
      <font size="2"><br>
      </font>
      <pre><font size="2">C:\NSS\bin\certutil -d JAR -A -n &quot;mozdev.org&quot; -t &quot;,,C&quot; -i CA/mozdev.cacert</font></pre>
      <font size="2"></font>
<p>&nbsp;</p>
      <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a name="77088"></a><font size="3"><b> 
        C</b></font></font><b><font face="Verdana, Arial, Helvetica, sans-serif" size="3">reating 
        Signed Remote Applications</font></b></p>
      <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Security 
        in Mozilla's web browser is designed to meet today's advanced scripting 
        needs in a secure manner. Mozilla is a much more secure browser than past 
        Netscape 4.x and Internet Explorer releases because it has a better sense 
        of what remote scripts can and cannot do.</font></p>
      <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">Because of 
        Mozilla's approach toward potentially insecure applications, if you decide 
        to serve up your own application remotely, remember that you will not 
        have automatic access to the chrome in the way you do when you have a 
        registered, locally installed Mozilla application. Unless you sign your 
        application or have the user turn on a special preference (see <a href="#77070">"Setting 
        Up XPFE for Remote Applications</a>"), services like XPConnect will not 
        be available. </font></p>
      <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">In Mozilla, 
        you can bundle any number of files into a JAR archive (which, you'll recall 
        from <a href="http://books.mozdev.org/chapters/ch06.html#77063">Chapter 
        6</a>, is just a zip file with a JAR suffix) and designate the archive 
        as an object that can be signed. This designation makes it very easy to 
        produce an entire signed and secure remote Mozilla application because 
        it stores your application in a single file type that Mozilla already 
        treats as a separate package.</font></p>
      <h1><font face="Verdana, Arial, Helvetica, sans-serif" size="2">This section 
        provides an overview of the signed script technology and shows you how 
        to create signed applications that live on the server but take full advantage 
        of the user's local chrome, including Mozilla components.</font> </h1>
      <p>C:\NSS\bin\certutil -N -d JAR</p>
      <pre>&nbsp;</pre>
    </td>
  </tr>
</table>
</body>
</html>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>