Dr. Dobb's Journal - October 2008 - (Page 32)

D10gold_p6as 8/15/08 9:07 AM Page 32 Core Technology CODE SIGNING IN ADOBE AIR continued from page 30 Certificates that are not trusted via a certificate chain—and therefore must be listed directly in the certificate store to be trusted— are often referred to as “self-signed” certificates. Rather than being signed by another certificate—a certification authority, for instance—they are quite literally signed by themselves. This self-signature doesn’t provide for a chain, but it does provide a way to detect any tampering with the certificate. “Self-signed” is sometimes used to mean “untrusted” because, by default, self-signed certificates are not trusted in your certificate store. The two are not really the same thing. All certificates must be signed, and the root certificates for all certification authorities are also self-signed. While most self-signed certificates are not trusted, many of the most important certificates are. cation I’m about to install is a requisite first step to trusting the application. The rest of my decision hinges on my knowledge of eBay, its reputation as a company, and how paranoid I am. An established identity is just as key to establishing a lack of trust. For example, I wouldn’t be willing to install an application just because I knew with certainty that Evil Hacker, LLC published it. All the same, I would be glad that their identity had been established: I believe they would deliberately harm my machine and I don’t want to be installing any of their software. of this same information is placed in the certificate itself. This request is sent to the certification authority. 3. A certificate is created; it contains your public key, name, and other information and is signed by a (private) key controlled by the certification authority. The certification authority then returns this signed certificate to the requester. 4. The certificate and the original private key are reassociated by the requester in some keystore. If you create your own certificate (for example, via the “adt” tool in the Adobe AIR SDK, www.adobe.com/products/air/tools/ sdk), then these four steps happen at the same time. The output of the adt command to create a new certificate is the keystore created in step 4, containing both the certificate and the new private key. The certificate is signed with its own private key in step 3, which is why certificates you create in this manner are called “self-signed.” If you purchase a certificate, then these steps are somewhat more involved and begin with determining your purchasing process. Although this may seem surprising at first, it is your browser that handles the client-side aspects of each of these steps. Less surprisingly, not every certificate purchasing process is compatible with every browser. The Adobe AIR process provided by Thawte is compatible with Mozilla-based browsers, such as Firefox. We selected this process in conjunction with Thawte because it provides a uniform purchase process across all platforms Adobe AIR supports. Other types of code signing certificates have other browser requirements. For example, purchasing Authenticode certificates—Microsoft’s branded version of code signing certificates for use on Windows—requires the use of Internet Explorer. Imagine that. Getting Certificates You can create your own certificate using a variety of tools, including the free Adobe AIR SDK. This option is free and fast, but because a commercial certification authority has not issued these certificates, they will not be trusted on most machines. Certificates can also be purchased from certification authorities. Thawte (www.thawte.com), for example, offers a certificate purchase process specific to Adobe AIR. Certificates issued by commercial CAs are trusted on most machines. Regardless of how they are obtained, certificates are issued for different purposes. Adobe AIR requires certificates that are specifically designated for use in code signing. For example, you can create a certificate for signing documents with Adobe Reader, but this certificate cannot be used to sign AIR applications, as the intended purposes differ. Code signing certificates are generally interchangeable; Authenticode certificates (www.authenticode.com), for example, can be used to sign AIR applications. Managing Trusted Identity Adobe AIR does not provide any facilities for directly managing trusted certificates and, therefore, no facilities for managing trusted identity. These facilities are already provided by your operating system, along with tools that you or an administrator can use to add and remove trusted certificates. If a commercial certification authority issues the certificate that was used to sign the application you are installing, you probably won’t have to take any additional steps to have that certificate be trusted on your system. The certification authority is probably already entered in your system store. Both Windows and Mac OS come preconfigured to trust certification authorities selected by the operating system vendor. If not— say, you received your friend’s certificate on a USB drive at the coffee shop—then you make that certificate trusted on your machine by loading it into the system certificates store. On Mac OS, you do this via Keychain; on Windows via Internet Options. Gruesome Details of Getting Certificates The technical process of obtaining a certificate can be listed as four basic steps: 1. A key-pair is generated. The private key of the pair must remain a secret and so the person who wishes to obtain the certificate must generate it locally. 2. A certificate-signing request is created. This request includes the public key and identifying information such as your name; most Trusted Software Trusting identity is one thing; trusting software is quite another. For example, I trust the eBay desktop application because I believe eBay would not deliberately publish a malicious or otherwise dangerous application. Establishing that eBay signed the appli32 Thawte, Adobe AIR Certificates, and Firefox Adobe collaborated with Thawte, a member of the Verisign family, to create a process for purchasing certificates for use with Adobe AIR. Obtaining a certificate via this process consists of the following steps. These are not detailed instructions; for that, please see the Dr. Dobb’s Journal l www.ddj.com l October 2008 http://www.adobe.com/products/air/tools/sdk http://www.adobe.com/products/air/tools/sdk http://www.thawte.com http://www.authenticode.com http://www.ddj.com

Table of Contents Feed for the Digital Edition of Dr. Dobb's Journal - October 2008

Dr. Dobb's Journal - October 2008 Contents Friday Night Fish Fry Alia Vox Developer Diaries Developer’s Notebook Is Your Next Language COBOL? Conversations Safe Coding Practices Code Signing in Adobe AIR OpenID Single Sign-On The Book Cipher Algorithm Indexing and Searching Image files Extending Continuous Integration Into ALM The Agile Edge Effective Concurrency Swaine’s Flames

Dr. Dobb's Journal - October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.