The Initium X.509 Certificate Wizard

This paper describes the use of the Thawte’s “Web of Trust” X.509 certificates for signing and distributing executable Jar resources. A keytool wizard (called the Initium X.509 Certificate Wizard) was developed in order to help with the importation and management of certificates. A signed Jar file generally indicates that the signer authorizes the contents. Signing is accomplished using a certificate that has been issued by a Certificate Authority (CA). Several CA’s are available for this task; however, few of them are free, like the Thawte CA. Once a free certificate is obtained, Jar files may be distributed and named as verified from the signer. Trusted Jar files can be run outside of the “sandbox” and thus be given improved access to the target system. The impact of having a trusted Jar file is that Jar distribution systems (like Java Web Start, or Browser-based Applets) can run the program in the trusted manner. Therefore, such trusted programs can have access to the files, or be able to open connections to hosts other than the web host. The keytool wizard addresses a subproblem of the Initium project, a joint, on-going project between the Fairfield University and DocJava, Inc. Initium is a Latin word that means: “at the start”. 1 THE THAWTE WEB OF TRUST In order for Java Web Start to give unrestricted permission for a Java program to execute, it must use a “signed” Jar file. A signed Jar file is designed to prove that the originator is the author of the code. This does NOT prevent the author from writing harmful code. On the other hand, if you trust the author to write non-harmful code, you may feel safer about running the authors’ programs. THE INITIUM X.509 CERTIFICATE WIZARD 76 JOURNAL OF OBJECT TECHNOLOGY VOL. 3, NO. 10 In order to sign a Jar file, you need a digital certificate. Certificates are issued after a proper background check, by a Certification Authority (CA). This is not generally a free service. For example, Verisign asks for $200 or $400 per year, in order to issue a certificate. Applications that are signed by an untrusted signature (i.e., a signature that is not verified by a known CA) cause a dialog to be displayed saying: “It is highly recommended not to install and run this code”. The software that I write is typically given away. As a result, I am disinclined to pay $200-$400 per year. Therefore, a free (or at least very cheap) approach to obtaining a certificate appeals to my sense of thrift. The Thawte personal e-mail certificate can be used indefinitely, and at no cost. Thawte is a CA that can issue a digital certificate to an organization or an individual. It is the role of the CA to verify that the company ordering the certificate is a registered organization that controls its domain and that the person in the company, who ordered the certificate, is authorized to do so. Authentication helps to prevent spoofing. It is harder to substitute illegitimate programs for programs that come from established organizations when the programs must be properly signed. Con artists could make use of such untrusted programs to steal credit card numbers or create software that destroys or distorts data. Thus having an authentication procedure in place helps to establish trust and adds value to the Java programs that you distribute. From the point of view of grid computing, a grid operator will want some assurance that the program being submitted for execution is safe. At the very least, the program can be attributed to its signer before being deployed on the grid. In the event the grid application contained damaging code, the compute servers on the grid would become infected with the code faster than normally propagated computer contagions. Such a program places the entire grid as risk. 2 HOW DO I GET A CERTIFICATE? This section presents the steps that are needed in order to obtain a free personal e-mail certificate from Thawte. First you must visit https://www.thawte.com/email/index.html#, run by Thawte. You then click on “join” and fill out the application. Information needed includes, name, data of birth, and a “national identification number”. This can consist of a diver’s license number, social security number or passport number. You must also enter an e-mail address. Other information needed includes: your phone number, your mother’s maiden name, your father’s middle name, what is the make of your fridge, etc. Your free certificate will not show your name when you sign your jar files. Java Web Start, for example, will show your name as: “Thawte Freemail Member”. In order to obtain a certificate for signing your jar, you will have to wait for a confirmation e-mail from Thawte. This will contain the codes that you need in order to