DSig in PCWeek

Rohit Khare (khare@w3.org)
Wed, 18 Dec 1996 16:23:44 -0500


Code signing's new Signature

By Michael Moeller
December 16, 1996 06:32:36 PM EST
PC Week

Several industry heavyweights are eyeing a standard way to secure Internet
software transfers, as the digital superhighway becomes a more common mode
of application deployment and distribution.

The W3C (World Wide Web Consortium) is corralling Microsoft Corp.,
JavaSoft, Netscape Communications Corp., Oracle Corp., IBM, AT&T Corp. and
several others to craft a method for digitally signing and authenticating
Java applets and ActiveX controls.

A draft of the Digital Signature Initiative is due to be announced at the
end of next month, after which all vendors involved will begin work on
implementing it in trial systems, said Philip DesAutels, project manager
for the initiative for the W3C, based in Cambridge, Mass.

The technology will be encryption protocol-neutral and will support such
digital signature standards as PCKS#7 and X.509v3, said officials. The new
system also will support the Platform for Internet Content Selection rating
system.

The initiative fills a gap for a common "trust system" for knowing who
created a downloadable piece of software, why it was created and what it
can do to a user's computer, DesAutels said. In addition, it goes a step
beyond Microsoft's Authenticode, a common form of code signing that enables
Java applets or Active X controls to be signed by their author to establish
accountability.

Netscape and JavaSoft are putting the final touches on co-developed
technologies called JAR (Java Archive Format) and Java security APIs, which
sign only Java applets, JavaSoft and Netscape officials said.

Microsoft, JavaSoft and Netscape officials all pledged to support any
standard as long as it was implemented in an open way.

"We are closely working with the W3C, and once a standard method for
signing code is completed, we will take a look at how it fits with
Authenticode and see how soon we are able to get the new standard into our
products," said John Brown, program manager for electronic commerce at
Microsoft, in Redmond, Wash. "From what we can see, there is not a lot of
work that has to be done, so supporting the standard will not mean we have
to rebuild our technology."

Netscape and JavaSoft officials added that they too are closely watching
what the W3C comes up with, but they feel that for the time being it is
important to get products out the door that provide additional security
beyond current Java security.

"Our code-signing format, jointly spec'd and developed with Netscape, is
likely to be our input to the W3C group," said Li Gong, Java security
architect at JavaSoft. "The format is flexible and extensible."

The W3C's Digital Signature Initiative promises to circumvent any
proprietary code-signing method from becoming too well-established and will
allow methods such as Microsoft's Authenticode to work within the standard.

The standard promises to provide a mechanism to allow independent software
testing centers or companies to check the code for viruses or bugs and
create a rating system that could be adopted by corporations or users, said
DesAutels.

If a user adopted a specific rating system, it would be embedded into his
or her browser. Then, when a user attempts to download an applet, the code
would search for the applet's virtual certification and either run the
applet or deny access, said DesAutels.

------------------------------------------------------------------------

What's Your Sign?

Major vendors supporting W3C Digital Signature Initiative

Microsoft

Oracle

Netscape

AT&T

JavaSoft

IBM