« September 2007 | Main | November 2007 »
My Digital Signature Adventure, Day Two
Today started with me requesting a digital certificate from Thawte "at the freemail level of assurance" for a POP3 email address I use that's different than the one I used yesterday to create my own digital signature. I intend to try to use both addresses as I continue to explore how digital signatures work.
These certificates are in X.509 format. There's still no Eudora support, so I chose to request one in Mozilla Firefox/Thunderbird format. (It's ironic that down the road, Thunderbird and Eudora will be merging, but they haven't yet.) The first thing I discovered: I can't request the Mozilla certificate from within Internet Explorer (makes sense, I guess).
So I requested one from within Firefox. Then I had to choose which email address to select for the certificate:
"Most mail clients support S/MIME and can use these certificates if you include your email address."
Next, Thawte had this to say:
"Strong Extranet Identities
"thawte offers a very simple but powerful 'extranet certification' system which enables organizations to certify their partners, customer, suppliers or employees, and to use these certificates for access control to secure web servers. The 'Strong Extranet' is the easiest way to migrate from username/password access control to certificate-based access control.
"If you have been certified as a member of any extranets the relevant identities will appear below. Check those you wish to include into this certificate."
None are listed. So onward I go.
"Accept Default Extensions
"The newest versions of the certificate standard allow you to embed a series of certificate extensions into your digital certificate. These extensions will influence how the certificate can be used by applications. You can safely skip this page by accepting the default extension configuration."Advanced Users: Configure Certificate Extensions
"Click "Configure Certificate Extensions" to customize some of the more common certificate extensions. Don't choose this option unless you know what you are doing."
Out of curiosity I click on "configure certificate extensions" and find this scary bit of text that stops me cold:
"Please note that the extension options below are not for the faint of heart. You probably won't trigger a Vogon invasion of Earth if you press the wrong button, but you might cause weird behaviour in some otherwise-normal software. Don't fiddle with this unless you've been told to, or unless you're a born fiddler."
With that, it's back to accepting the default extensions! But there's no "back" button so I have to start the process again and get back to that point.
"Public Key
"Your Personal Certificate will contain a public key. People will use that public key to encrypt information for your eyes only. If the drop-down listbox below does not include 1024-bit keys, then you should update your browser to full-strength crypto by downloading a new browser from Netscape. If for some reason you cannot do that, then try installing Fortify to upgrade your browser to full-strength crypto."
Firefox lets me choose between 1024-bit keys (medium grade) or 2048-bit keys (high grade). I choose 2048-bit keys.
"You can continue your request by pressing "Next" below. If necessary your browser will walk you through the public key generation process."
I continue.
"Confirm Netscape Certificate Request
"You are about to complete the certificate request process. Please look at the following summary and make sure that everything is correct. Once you press "Finish" below you will be unable to edit or alter the contents of this certificate!"The certificate will have a distinguished name that looks like this:
Common: Thawte Freemail Member Email: [my email address] "If you need a certificate with your full name in it, then you need to join the Freemail Web of Trust.
"It may also include at least the following extensions:
"X.509 SubjectAltName
"This certificate contains a set of alternative names for the certificate subscriber. They are listed below:
- Email: [my email address]
"Please note that we will also add a BasicConstraints, and ExtendedKeyUsage and an authorityKeyIdentifier.
"If you are happy with this, press "Finish" below. If not, please use your back button to select the correct distinguished name and certificate extensions for this request."
(Once again, frustration! Firefox opened this dialog in a pop-up window with no back button. What the heck -- forward I go.)
"Personal Certificate Requested
"Your personal certificate request has been committed to our database. You can track the status of all your certificate requests through the Certificate Manager. You will also receive email notifying you of major status changes for this request. For example, when your certificate has been issued and is ready for you to download, or when it is revoked, or when it is about to expire, our system will send you a cautionary message."Certificate Manager Page
"To go to your Certificate Manager page, within your account, click here.
"Your certificate should be at the top of the list. Click on it to view the current status. When your certificate is issued you will download it directly from that page!
"Get the most from your digital certificate with these products and services.
"S/MIME In Communicator And Later
"If you are using Netscape 3.x then you will not be able to use S/MIME for secure email and news. Upgrade now to Netscape 4.x or later to encrypt and sign your email!
"Non-US Users Can Get 128-bit Crypto!
"International users of the English version of Netscape Communicator 4.5x and earlier, which supports only 40-bit encryption, can upgrade their software at no cost to support full 128 bit encryption using the Fortify tool, available from https://www.fortify.net/download.html. Users of of the export version of Netscape Communicator 4.6 and later will have 128-bit encryption enabled already."
So now I wait for an email from Thawte. I'll have to install the Mozilla Thunderbird client in order to test this out, but that's work for another day.
Posted on October 18, 2007 at 04:52 PM | Permalink | Comments (2) | TrackBack
Perfect timing: Moderating the Smartphone Summit security panel
With Apple's announcement of the iPhone SDK, and plans to become a trusted source of certified third-party applications for the iPhone, the mobile phone industry is now challenged not to head back down the same path as the PC did, where malware, spyware and viruses broke the trust that the public once had when downloading applications.
I'm pleased to have a contribution to this conversation. Next Monday, I will be moderator of a panel in San Francisco, "Smartphone & Wireless Security: Steps to Safeguarding Your Business," at 2:00 p.m. at the Smartphone Summit.
The future of downloadable applications is at stake. Can we trust Apple, the other handset makers, and the carriers to do application security right? Will the certificate authorities step in and do it instead? Or will we continue to suffer through countless "trust me?" challenges from our devices? If the answer is the latter, I believe the notion of the downloadable application may be as doomed as so many pundits say it is. And that would make the public and all its most confidential information totally dependent on service providers.
Posted on October 18, 2007 at 08:55 AM | Permalink | Comments (0) | TrackBack
My digital signature adventure, Day One
We learn by doing. Some of us learn later than others.
When I listened to an old Security Now! podcast recently, and Leo Laporte told Steve Gibson that he digitally signed all his emails, I resolved then and there to start doing so myself. If Leo can do it, I can do it!
Of course, I'm still not sure what to tell the recipient of my signed email to do with that signature, but just sending signed email seems to me to be a great start.
My email client's old and out of fashion, the operating system is even older, but before I chuck both and just use Gmail or something, it's time once and for all to see if I can digitally sign my emails for the first time.
My email client: Eudora 7.0. The operating system: Windows 2000. There's probably a lot more of these out there than you might think.
First, I download GPG4Win. I click install. It tells me:
Welcome to the installation of Gpg4Win. GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.
This is GPG4Win version 1.1.0. file version 1.1.0.407. release date 2007-05-24.
I deliberately didn't choose the newest version available, figuring an older one would be more stable. But the Web site gave me no advice on this matter.
I'm installing the following: GNU Privacy Guard (not optional), GNU Privacy Assistant (GPA), Windows Privacy Tray (WinPT), GPG Explorer Extensions (GPGee), and Novice Manual. Installed to c:\Program Files\GNU\GnuPG. Added to Start Menu (Eudora folder), Desktop, and Quick Launch Bar.
When I opened the GPGee Manual, the beginning amused and frightened me:
GNU Privacy Guard, or GPG, is the premiere open source implementation of OpenPGP encryption. It is secure, free and open, versatile, and about as user friendly as toxic waste.
After installation, I wasn't sure what to do next. After I clicked on something one too many times, WinPT suddenly stopped working. Sigh. So I rebooted. This time up came the following dialog box:
I chose to generate a key pair (the option selected above). Doing this launched the key generation wizard:
Then I entered a passphrase to generate my key:
And finally, got this encouraging message:
Again, I wasn't too sure what to do next. But I knew Eudora needed its own plug-in to work with GnuPG and GPG4Win. I saw warnings telling me Eudora 7 didn't work with it, but other contradictory message saying that it did. There were also some old, broken links that didn't point to any Eudora plug-in, but finally I found this one and downloaded the plug-in (eudora-gnupg-plugin-2.0rc1.zip)from there. I unzipped the plug-in and read the English documentation. It told me to copy the file Eudora.GPG.dll into the plugins subdirectory of the directory where Eudora is installed.
When I restarted Eudora, new icons had appeared at the top. I created a test email. The new icon that lets me sign an email is at the top in the photo below, visible as a pencil icon (fifth from the right). Below it is the dialog box that appears when I want to enter my passphrase to sign the message. The "signing key" drop-down offers for me to fill the email address I gave when I generated the key pair:
The PGP signature got attached to my message, and the top of the message now states, "BEGIN PGP SIGNED MESSAGE".
I sent this test message off to my wife River, who received it and asked, "how do I know that's you?"
So that's where I stopped for Day One of my digital signature adventure. Another day, I'll try to find her an answer.
UPDATE: Apple's trying to answer River's question too, in order to open up the iPhone to third-party applications.
Posted on October 17, 2007 at 02:43 PM | Permalink | Comments (0) | TrackBack
World Standards Day 2007
From yesterday's World Standards Day Message:
"A world without standards would soon grind to a halt. Transport and trade would seize up. The Internet would simply not function...Standards foster healthy commerce and fair prices. Global standards developed with open processes and with consensus among all stakeholders give access to global markets."
It's been a rough year for the standards process, with allegations left and right about how the standards process is or isn't moving forward based upon the action or inaction of big vendors. Standards would seem to get exponentially harder to adopt given the complexity of the task you're trying to standardize. Still, we must keep trying.
Posted on October 15, 2007 at 10:07 AM | Permalink | Comments (0) | TrackBack
Open software-as-a-service, the Centric CRM way
I respect Marc Benioff. When he was at Oracle and I was at InfoWorld in the 1980s, I knew that he would be a relentless competitor in the software business, and no one has done more in the 2000s to champion hosted software-as-a-service via his startup, Salesforce.com. But my latest Opening Move with Centric CRM's Michael Harvey points out a drawback in Salesforce's model -- lack of ability to move applications from their servers to your own. Harvey's company is proof that demand exists for that alternative.
Posted on October 12, 2007 at 05:02 PM | Permalink | Comments (0) | TrackBack
OpenMoko video fun
The community supporting the development of the OpenMoko phone platform is having lots of fun making teaser videos to build buzz. Check them out.
Posted on October 9, 2007 at 01:56 PM | Permalink | Comments (0) | TrackBack
Does the iPhone contain a big security blunder?
Steven J. Vaughn-Nichols raises quite an alarm regarding iPhone security:
"Now it seems that all applications run on the iPhone as root. Can you say biggest security blunder of the 21st century to date?"
This raises lots of questions for me. First, do any Mac OS X applications run as root as well? If not, why would Apple choose to run the iPhone applications as root?
Posted on October 3, 2007 at 04:05 PM | Permalink | Comments (0) | TrackBack
