I’ve been taking an interest in computer security recently, and as part of that I’ve been investigating digital certificates, primarily in the context of code signing (e.g. applications/macros/plugins).
There seem to be two main misconceptions here (at opposite ends of the scale), which are worth addressing:
1. “If something has been signed then it’s safe.”
2. “Just because something’s been signed, that’s no guarantee of safety, therefore signing is pointless, and it’s just a way for Microsoft to extort money from people while spreading FUD.” (FUD = Fear, Uncertainty, and Doubt.)
Basically, before you run an application, there are two questions you should ask:
a) Do I trust the person/company who wrote it?
b) Am I sure that they did actually write it (and that nobody has tampered with it since)?
Code signing only addresses the second question, not the first. So, it’s just a part of the overall solution, but it is a necessary part. I liked the metaphor of the “sandwich test”, which I heard recently. Suppose we were at lunch, and I said “Hmm, I’m not very hungry – would you like one of the sandwiches I made this morning?” You would probably be fairly confident that this was safe to eat (barring allergies). By contrast, if I came into the office and said “Hey, I found this sandwich lying on the ground outside – anyone want it?”, then I’m guessing that you wouldn’t be very enthusiastic.
Anyway, I figured that it was about time I got a certificate for myself, now that I’m starting to distribute little programs. When I’ve done this at work, companies like Verisign will generally want some kind of proof that you really are from the company you claim to be, e.g. providing a DUNS number and sending over something on the company’s letterhead. For a private individual, it gets a bit more tricky. I found that GlobalSign were a good option for this, so I’ve got a 1 year code signing certificate from them (it cost 175 euros, which isn’t too bad). For validation, I faxed them over the photo page from my passport, and the certificate that they’ve issued me with is tied to my email address (rather than a company name).
What this means in the longer term is that if you have a program which I (supposedly) wrote, and it’s not signed, then either I didn’t write it or it’s not the latest version, so you should stop using it and check my website. I’ll update my software section with screenshots etc. in due course, to explain this more clearly.
So far, so good. I’ve also been dealing with SSL certificates at work, and I figured that it’s about time I got one of those too. (Sadly you can’t use the same certificate for both purposes.) This will be for the private server in my lounge, not my public website. I set myself up with a self issued certificate a while back, and that’s been good enough for my purposes – I only really use the website to check my email (Outlook Web Access), and I can ignore the warning message that appears.
However, I’ve recently been talking to some people about setting up a website for our club. This would keep track of membership details, so it will need a secure sign-in. If I’m going to point other people at my server for testing purposes, I don’t really like the idea of telling them to ignore the security warnings. On one level it feels unprofessional, as if I’m saying “Yeah, I couldn’t be bothered to set it up properly, but don’t worry, the live site will be properly secure, honest”. On the flipside, if they trust me implicitly, I don’t want them to get carried away and start ignoring warning messages from phishing sites “because John said not to worry about them”.
So, back to GlobalSign, to get an SSL certificate. This is where things started to get more complicated. If you generate a CSR (Certificate Signing Request) on IIS, lots of fields are compulsory, including “Organization” and “Organizational Unit” (sic). I normally use “Kirk Enterprises” when I’m installing software, since I think it has a nice ring to it, and if I’d gone contracting then I’d have tried to set up a limited company with that name. However, as it stands I don’t have my own company, so I wasn’t sure what to put. I found someone else saying that he’d used his name there, so I contacted GlobalSign tech support to see what they’d prefer. E.g. if they’d want me to fax over my passport again, then would they need me to put that same name into one of the fields?
So, my message included the following info:
Name: John Kirk
“I’m guessing that I need to put my name in, but should I use it in both boxes, or should I say something like -Organization = Kirk Family, OU = John Kirk-?”
Their reply began “Dear Mr. Golgotha” – not a promising sign of reading comprehension…
Anyway, they said “All we require is a common name (registered domain name, registered by you)”, which sounds reasonable, so I generated the CSR and went through their request system, including entering my payment details. I got to the end, and it said: “In order to complete your order for a GlobalSign ServerSign Certificate you need to fax/mail a copy of the printed order form (from Step 3 in the procedure) together with a proof of your companies legal status.” Hmm, problem. I’ve emailed them back, pointing out that I don’t have this, and I’m waiting to hear back from them at the moment. If they just don’t sell SSL certificates to individuals, that’s fair enough, but it would have been nice of them to tell me that earlier.
In fact, I think that more transparency in the validation process would be a good thing all round. As a (potential) customer, I want to know how much info they’re after, so that I can gather it together. As an end user, if I see a padlock on a website, I want to know how confident I can be that this really is the appropriate company. Is this from “Big Jim’s Certificate Shop – any domain name in 5 minutes or the second one’s free”, or do they require depositions from three doctors and judges who’ve known you for 20 years? This comes back to what I said at the start – the CA (Certificate Authority, e.g. Verisign) has one job, which is to verify identities. I don’t expect them to do code reviews, but I do want to know how diligent they are.
Coming back to my specific issue, I’m guessing that it’s fairly unusual for individuals (rather than companies) to want SSL certificates, so there isn’t much infrastructure in place for it yet. However, it also occurs to me that this is more or less a solved problem (to use Maths-speak). If you go to Whois, it tells you that my domain is registered to John Kirk at such-and-such address. If you are willing to treat that as trustworthy, then the problem becomes “how does the CA verify that I am that person from that address?” Well, I have a driving licence, that’s photo ID with my name and address on it. I could just fax that (like my passport), or I could show it to a trusted local representative (e.g. a bank), get them to stamp/sign my form, and then fax the stamped form over to the CA. As I recall, that’s more or less how the process works for getting your first [photo] driving licence – you show proof to the member of staff in the post office, and then he/she will endorse the form that goes off to the DVLA. I don’t have the resources (or the inclination) to set up that kind of scheme, but if there are business who rely on this kind of thing for their income then they have more of an incentive.