Re: Using javakey with non-javakey-generated keys

Marianne Mueller (mrm@eng.sun.com)
Thu, 20 Feb 1997 10:00:45 -0800

Date: Thu, 20 Feb 1997 10:00:45 -0800
Message-Id: <199702201800.KAA28455@puffin.eng.sun.com>
From: Marianne Mueller <mrm@eng.sun.com>
To: jmason@iona.com
Subject: Re: Using javakey with non-javakey-generated keys

> I'm sure this is a bit of a FAQ. Are there plans to support signing
> JARs using Verisign keys, e.g. the keys used with Microsoft's
> Authenticode? I notice they don't seem to be in the DER format used at
> least by ssleay and javakey.
>
> Alternatively, does anyone know how to get legal DER credentials out of the
> Authenticode creds?

At the risk of restating your question for you :-), I bet you meant to
ask, "will the JDK 1.1 digital signature interoperate with Microsoft
IE? And how about Authenticode and its tools?"

To address your question directly --

Keys aren't associated with VeriSign or any CA, but, they are
associated with some signature algorithm. For example, a signature
scheme that uses MD5 and RSA would use RSA private/public
key pairs. A signature scheme that uses the DSA algorithm uses
DSA private/public key pairs.

Today, people distribute their public keys via X509 certificates
issues by a Certificate Authority like VeriSign. (There are other
CA's, too.) To date, most certificates have been issued to support
RSA public keys.

What we need is for CA's to issue X509 certificates for DSA keypairs,
since that is the algorithm used in the JDK 1.1 Sun provider
implementation is using.

So, if you'd like to use the open, documented Java digital signatures
introduced in JDK 1.1, tell the browser vendors that (so that they'll
understand there is demand for them to integrate this into their
browsers) and tell the CA's like VeriSign (so that they'll understand
there is demand for DSA certificates.)

To address what I think your question is really asking --

We are completely in favor of interoperability of digital signatures.
We are supportive and working closely with the W3C on standards for
digital signature file formats and other related issues. (See
http://www.w3.org/pub/WWW/Security/DSig/Overview.html for info on
the standards effort.)

I don't know the details of how Microsoft is encoding or decoding keys
for Authenticode. I believe they are using the standard format for
RSA keys, and they are using X509 certificates. I have no idea
how to get DER credentials out of the Authenticode creds. You might
ask Microsoft if they publish details of their file formats for that.