Code Signing Digital IDs(SM) for Netscape Object Signing

Code Signing Digital IDs^SM
for Netscape Object Signing
Realizing the Possibilities of Internet Software Distribution

What is Netscape Object Signing?
When customers buy software in a store, the source of that software is obvious. Customers can tell who published the software, and they can see whether the package has been opened. These factors enable customers to make decisions about what software to purchase and how much to "trust" those products.

When customers download software from the Internet, the most they see is a message warning them about the dangers of using the software. The Internet lacks the subtle information provided by packaging, shelf space, shrink wrap, and the like. Without any assurance of the software's integrity, and without knowing who published the software, it's difficult for customers to know how much to trust software. It's difficult to make the choice of downloading the software from the Internet.

The solution to these issues is Netscape's Object Signing coupled with Digital IDs from VeriSign, Netscape's preferred vendor of digital certificate services. Object Signing, through the use of digital signatures, enables software developers to include information about themselves and their code with their programs.

When customers download software signed with Netscape Object Signing and verified by VeriSign, they can be assured of:

Content Source: The software really comes from the publisher who signed it.
Content Integrity: The software has not been altered or corrupted since it was signed.

Users benefit from this software accountability because they know who published the software and that the code hasn't been tampered with. In the extreme case that software performs unacceptable or malicious activity on their computers, users can also pursue recourse against the publisher. This accountability and potential recourse serve as a strong deterrent to the distribution of harmful code.

Developers and Webmasters benefit from Object Signing because it puts trust in their name and makes their products harder to falsify. By signing code, developers build a trusted relationship with users, who then learn to confidently download signed software from that publisher or Web site. With Netscape Object Signing, developers can create exciting Web pages using signed Java applets, plugins, or other executables. And users can make educated decisions about what software to download, knowing who published the software and that it hasn't been tampered with.

Who Needs a Code Signing ID?
Any publisher who plans to distribute code or content over the Internet or over corporate extranets risks impersonation and tampering. VeriSign Code Signing IDs for Netscape Object Signing protect against these hazards.

VeriSign offers a Class 3 Digital ID designed for Commercial Software Developers. These are companies and other organizations that publish software. This class of Digital ID provides assurance regarding an organization's identity and legitimacy, much like a business license, and is designed to represent the level of assurance provided today by retail channels for software.

What does Object Signing Look Like to Consumers?
Netscape Communicator and other popular client applications come with security features which recognize Object Signing. These applications are often used to obtain other pieces of software from networks, sometimes without the end user requesting it. For example, when a user visits a Web page that uses executable files to provide animation or sound, code is often downloaded to the end user's machine to achieve the effects. While this may provide substantial value, users risk downloading viruses or other unwanted code.

When Communicator encounters a software component that is trying to gain access to the user's machine, it automatically checks to see if there is a recognized digital signature with that software. If the code is signed with Netscape Object Signing, the following dialog box will appear:

Through Object Signing, the user is informed:

Of the true identity of the publisher
Of the type of access requested by the software
That the authenticity of the above information is provided by VeriSign.

The end user can choose to grant or deny the requested privileges, or to view the certificate used to sign the code. Communicator provides an estimated level of risk (high, medium or low) associated with the privileges requested, and the user can learn more about this risk by clicking "details".

By selecting "Remember this decision," the user saves the digital signature of that software publisher so that Communicator will recognize it in the future.

When the end-user's Netscape browser encounters a signed applet or other code with a recognized signature, the browser automatically allows that code, per the privileges it has previously been granted, without interrupting the user.

Users can add, delete or edit the privileges they want to grant to publishers at any time. By clicking the security icon in the main Communicator toolbar, users display the following screen:

Technical Overview: (Optional Reading)

What is a Digital ID?
A Digital ID (also known as a digital certificate) is a form of electronic credentials for the Internet. Similar to a driver's license, employee ID card, or business license, a Digital ID is issued by a trusted third party to establish the identity of the ID holder. The third party who issues certificates is known as a Certification Authority (CA).

Digital ID technology is based on the theory of public key cryptography. In public key cryptography systems, every entity has two complementary keys--a public key and private key--which function only when they are held together. Public keys are widely distributed to users, while private keys are kept safe and only used by their owner. Any code digitally signed with the publisher's private key, can only be successfully verified using the complementary public key. Another way to look at this is that code that is successfully verified using the publisher's public key (which is sent along with the digital signature) can only have been digitally signed using the publisher's private key (thus authenticating the source of the code), and has not been tampered with. For more information on public keys and private keys, please see Introduction to Public Key Cryptography).

The purpose of a Digital ID is to reliably link a public/private key pair with its owner. When a CA such as VeriSign issues Digital IDs, it verifies that the owner is not claiming a false identity. Just as when a government issues you a passport it is officially vouching for the fact that you are who you say you are, when a CA issues you a digital certificate it is putting its name behind the statement that you are the rightful owner of your public/private key pair.

A Digital ID is valid only for the period of time specified by VeriSign. The ID contains information about its beginning and expiration dates. VeriSign can also revoke (cancel) any certificate it has issued and maintains a list of revoked certificates. This list of revoked certificates, called a Certificate Revocation List (CRL), is published by VeriSign so that anyone can determine the validity of any Digital ID.

Certification Authorities
Certification Authorities, such as VeriSign, are organizations that issue digital certificates to applicants whose identity they are willing to vouch for. Each certificate is linked to the certificate of the CA that signed it.

As the Internet's leading Certification Authority, VeriSign has the following responsibilities:

Publishing the criteria for granting, revoking, and managing certificates.
Granting certificates to applicants who meet the published criteria.
Managing certificates (for example, enrolling, renewing, and revoking them).
Storing VeriSign's root keys in an exceptionally secure manner.
Verifying evidence submitted by applicants.
Providing tools for enrollment.
Accepting the liability associated with these responsibilities.

How does Object Signing work with VeriSign Digital IDs?
Netscape Object Signing relies on industry standard cryptography techniques such as X.509 v3 certificates and PKCS #7 and #10 signature standards. These are well-proven cryptography protocols, which ensure a robust implementation of code signing technology.

Object Signing uses digital signature technology to assure users of the origin and integrity of software. In digital signatures, the private key generates the signature, and the corresponding public key validates it. To save time, the Object Signing protocols use a cryptographic digest, which is a one-way hash of the document.

The process is outlined below

Publisher obtains a Code Signing Digital ID from VeriSign.
Publisher creates code.
Using the Netscape Signing Tool, the publisher:
- Creates a hash of the code, using an algorithm such as MD5 or SHA
- Encrypts the hash using his/her private key
- Creates a package containing the code, the encrypted hash, and the publisher's certificate.
The end user's Netscape browser encounters the package.
The end user's Netscape browser examines the publisher's Digital ID. Using the VeriSign root Public Key that is already embedded in Netscape Communicator, the end user Netscape browser verifies the authenticity of the Code Signing Digital ID (which is itself signed by the VeriSign root Private Key).
Using the publisher's public key contained within the publisher's Digital ID, the end user Netscape browser decrypts the signed hash.
The end user Netscape browser runs the code through the same hashing algorithm as the publisher, creating a new hash.
The end user Netscape browser compares the two hashes. If they are identical, the browser messages that the content has been verified by VeriSign, and the end user has assurance that the code was signed by the publisher identified in the Digital ID, and that the code hasn't been altered since it was signed.

The entire process is seamless and transparent to end users, who see only a message that the content was signed by its publisher and verified by VeriSign.

The Four Steps to Signing Code
These instructions will give you an overview of getting and using Netscape Object Signing and a Code Signing ID from VeriSign.

Step 1: Obtain the Netscape Signing Tool
A variety of tools for different platforms and purposes are available free of charge from Netscape Software.

Step 2: Apply for a VeriSign Code Signing ID for Netscape Object Signing
Go to VeriSign enrollment for instructions on obtaining a Code Signing ID.

In the process of applying for a Code Signing ID, your browser will generate a private key, which is stored in your Netscape browser to be used for Netscape Object Signing. This key is never sent to VeriSign, so if you lose this private key, you will be unable to sign code. If this key is lost or stolen, please contact VeriSign immediately to revoke it.

Step 3: Pick up your Digital ID
Once you have completed the application process, VeriSign will take a number of steps to verify your identity. For commercial publishers, VeriSign does a considerably amount deal of background checking. As a result, it will take approximately 3-5 business days to verify your information and issue a Digital ID.

At the end of this process, VeriSign will send you an e-mail containing a PIN (Personal Identification Number). Follow the instructions in this e-mail to pick up your Digital ID. As part of the installation process, Netscape will prompt you to download a .p12 file which contains both the private key file (key3.db) and the certificate (cert7.db). You now have a backup copy of the private key. This should be stored on a floppy disk in a safe deposit box or other secure location.

Please note that you must use the same machine and browser to apply for and obtain your Digital ID. Once you've completed the installation and backup process, you can use the private key and Digital ID to sign files on a different machine.

Step 4: Sign your Files
If you are building any PE file (.exe, .ocx, .dll or other), you need not do anything special. For cab files, you need to add the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144

These instructions are for the Netscape Signing Tool version 1.1 (command signtool.exe. Instructions are available from Netscape for version .60 ("zigbert").

Create an empty directory.

% mkdir signdir
Put some file into it.

% echo boo > signdir/test.
Specify the name of your object-signing certificate and sign the directory.

% signtool -k MySignCert -Z testjar.jar signdir

signtool responds with:

using key "MySignCert" using certificate directory: /u/jsmith/.netscape Generating signdir/META-INF/manifest.mf file.. --> test.f adding signdir/test.f to testjar.jar Generating signtool.sf file.. Enter Password or Pin for "Communicator Certificate DB":
At the prompt, type the password to your private-key database. If it accepts the password, signtool responds as follows:

adding signdir/META-INF/manifest.mf to testjar.jar adding signdir/META-INF/signtool.sf to testjar.jar adding signdir/META-INF/signtool.rsa to testjar.jar tree "signdir" signed successfully
Test Your Signature

% signtool -v testjar.jar

Signtool responds with:

using certificate directory: /u/jsmith/.netscape archive "testjar.jar" has passed crypto verification. status: verifired path: test.f

When this file is downloaded from a Web site by Communicator, it will display your Digital ID to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.

For more in-depth instructions on the use of Netscape Signing Tool version 1.1, please see the Netscape Developer's Manual

Conclusion
Netscape and VeriSign are committed to making the Internet a secure and viable platform for commerce and the distribution of content. With Object Signing and a VeriSign Code Signing ID, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.

For more information on Code Signing IDs for Netscape Object Signing, including pricing, availability, and Frequently Asked Questions, please visit www.verisign.com/developers.