logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ceki Gülcü <c...@qos.ch>
Subject RE: Web start app & Certificates - redux
Date Wed, 05 May 2004 07:39:46 GMT
At 12:05 AM 5/5/2004, Paul Smith wrote:
> > But will the ASF sign a certificate we present to them?
>
>Do they need to?  If you Ceki had, say, your own personal certificate (based
>on "ceki@apache.org" or even "ceki@qos.ch", you can get these free that are
>valid within the standard certificate chain/authorities), you could sign the
>jars inside a distribution with this certificate, and Web start would not
>complain.  The certificate just needs to be able to be verified via the
>standard trust chain.

Understood.

>The issue I think is whether the Apache foundation is comfortable with
>hosting a distribution that has been signed 'outside' the foundation.  The
>problem is I can't see a way of them letting us sign with an Apache
>certificate for security reasons.  Catch-22?
>
> > Without a certificate chain, you can actually sign with my
> > name, you can
> > even sign as "The President of the United States of America."
>
>But you can get a valid certificate from an authority based on your email
>address, and say a Drivers license from some providers, it's called a
>Personal Certificate. It allows you to verify that something has been signed
>by an 'email address' that has been verified and bound to and identity that
>can be traced.  ie, my personal certificate is linked to my drivers license
>here in Australia, so the certificate authority can always use that as a
>method of tracking me down should I do something silly.

Well, that's the theory Certificate Authorities built their business on. I 
am not sure that theory is solid though. Anyway, it does not really matter 
as long as we can get Web Start running.

> > Do you know if the ASF have a certification policy? If it
> > does, then we
> > should follow it. If it doesn't, then we are left only with
> > bad alternatives.
>
> >From what I recall, there isn't any policy at all, maybe I am wrong.
>Perhaps I should take this up with something _other_ than infrastructure? It
>seems to be a foundation-wide issue.  Should I use security@apache.org and
>CC our General list on?  Ceki, do you have any other recommendations as to
>who we should contact for further info?  I am happy to take lead on this.

The httpd folks have come up with something quite reasonable for
signing releases:

   http://httpd.apache.org/dev/verification.html
   http://www.apache.org/dist/httpd/KEYS

However, I am not sure if their technique would apply to Web Start.

I suggest the following.

Paul, our designated volunteer, starts off by getting his personal key 
signed by one of the CAs recognized by *default* by the JDK key 
verification set up. Those CA are contained in the 
file  $JAVA_HOME/jre/lib/security/cacerts

 > keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 15 entries

thawtepersonalfreemailca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
baltimorecodesigningca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
gtecybertrustglobalca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
verisignclass3ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
baltimorecybertrustca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
verisignclass1ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
gtecybertrustca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
gtecybertrust5ca, May 10, 2002, trustedCertEntry,
Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
verisignclass2ca, Jun 29, 1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

Note that "thawtepersonalfreemailca" is on the list...

Once Paul gets his key signed by Thawte Personal Freemail CA, he can sign 
the relevant jar files. If users complain or do not trust Paul's signature, 
we can jump in by getting our own certificates and either sign Paul's 
signatures or sign the relevant jars or even both.

Paul, the above sounds very much like what you had mind, correct?

>cheers,
>
>Paul Smith

-- 
Ceki Gülcü

      For log4j documentation consider "The complete log4j manual"
      ISBN: 2970036908 http://www.qos.ch/shop/products/clm_t.jsp  



---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message