On 24/01/2014 4:28, Charles Mills wrote:
I am looking for a general tutorial on how SSL/TLS program distribution
signing works.
Level set: I *am* quite conversant with SSL/TLS technology as it applies to
Web and similar clients and servers.
Thanks much. (Not totally OT: one thing I want to sign is Z software
distributed via the Web.)
I sign code on Windows, I expect the principles would be similar for z/OS.
You need a specific code signing certificate. They are similar to SSL
certificates, but when you purchase one they do more stringent checks to
make sure that your organization exists, and you are authorized to
request the certificate for your organization.
Somewhat confusingly, on Windows the certificate ends up installed in
the Web browser. You can export it from there to transfer it to other
systems etc. In IE, it can be exported from Internet
Options->Content->Certificates.
Once you have the certificate, you use a utility to sign the executable
with the certificate. I don't know exactly what it does, I think it
embeds a digital signature and the corresponding public key signed by
the certificate authority. The end user can then check the signature to
validate that the executable is from the organization and has not been
modified. Windows does this automatically for installation files and
warns if the software is not signed. Like SSL, there is a chain of
certificates that should lead back to a known certificate authority
whose public key you already have.
You can also timestamp the signature. This contacts a timestamp server
run by the certificate authority, and adds a signed timestamp that shows
that the signature was generated while the certificate was valid. This
means that when the code signing certificate expires, existing
signatures are still valid. You just can't generate new signatures.
There is some documentation at:
http://certhelp.ksoftware.net/support/home
(I purchased my certificate from K software, who sell Comodo certificates)
Hope this helps,
Andrew Rowley
--
and...@blackhillsoftware.com
+61 413 302 386
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN