Re: Netscape Object signing certificates and the Java 1.2.2 plug-in

Jan Luehe (luehe@laguna.eng.sun.com)
Tue, 17 Aug 1999 18:14:42 -0700 (PDT)

Message-Id: <199908180114.SAA14173@laguna.eng.sun.com>
Date: Tue, 17 Aug 1999 18:14:42 -0700 (PDT)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: Netscape Object signing certificates and the Java 1.2.2 plug-in
To: java-security@java.sun.com, tom.williams@diversifiedsoftware.com

--Herd_of_Hippopotamuses_770_000
Content-Type: TEXT/plain; charset="us-ascii"
Content-MD5: J1nh9RhdAjmbOaKCKmz0Tg==
X-Sun-Content-Length: 1927

Tom:

> Hi! I just bought a Netscape Object Signing certificate from Verisign and
> after I tried it out I found the messages about the security hole that was
> found in 1.2.2RC1 and how IE's CA store should be used instead of
> Netscape's to circumvent the problem.

No, the problem was caused by one the Microsoft CAPI APIs we
had been using in 1.2.2-RC1, which opened a security hole.

In the final 1.2.2 release, we avoided using that particular API,
but realized that our workaround is too restrictive when
different versions of a Root CA certificate (w/ different
validity timeframes) are available on different browsers.

It looks like the only Root CA where our workaround
causes a problem is the codesigning (Class 3) Verisign Root CA,
of which different versions are installed on different browsers.

Other Root CAs (e.g., www.thawte.com) work fine, since the same
version is installed on all browsers.

> I have three questions:
>
> 1) Where is IE's CA store and how do I "import/load" it into Netscape? I'm
> using Netscpe 4.61 and Internet Explorer 4.0 on Windows 98 with the Java
> 1.2.2 FCS plug-in

see 3)

> 2) Will the Java plug-in security online documentation be updated to
> caution users about which third-party certificates to use?

Unfortunately, we cannot recommend any specific Root CAs.
However, we know that using a codesigning certificate from Thawte
works well with 1.2.2.
We hope to be able to implement a less restrictive approach in
the 1.3 timeframe.

> 3) If I must do this on my own browser to run my signed applet, does that
> mean that every browser I send the applet out to will/might have this same
> problem?

You can avoid this problem by using a Root CA (e.g., Thawte) of which
only a single version is available on all browsers.

The attached email is from someone who went through the exact same
issues as you and who followed our recommendation to get around
the problem.

Jan

--Herd_of_Hippopotamuses_770_000
Content-Type: MESSAGE/rfc822; name="Mailbox"
Content-Description: Mailbox
X-Sun-Content-Length: 3825

>From cforster@i-review.com Wed Jul 28 11:34:37 1999
X-Unix-From: cforster@i-review.com Wed Jul 28 11:34:37 1999
Wed Jul 28 11:34:37 1999
Return-Path: <jsn-dev-request@eng.sun.com>
Received: from engmail2.Eng.Sun.COM by shorter.eng.sun.com (SMI-8.6/SMI-SVR4)
id LAA07681; Wed, 28 Jul 1999 11:34:26 -0700
Received: from doppio.eng.sun.com (doppio.Eng.Sun.COM [129.144.177.35])
by engmail2.Eng.Sun.COM (8.9.1b+Sun/8.9.1/ENSMAIL,v1.6) with SMTP id LAA01925;
Wed, 28 Jul 1999 11:34:00 -0700 (PDT)
Received: from engmail1.Eng.Sun.COM by doppio.eng.sun.com (SMI-8.6/SMI-SVR4)
id LAA15730; Wed, 28 Jul 1999 11:33:08 -0700
Received: from lukla.Sun.COM (lukla.Central.Sun.COM [129.147.5.31])
by engmail1.Eng.Sun.COM (8.9.1b+Sun/8.9.1/ENSMAIL,v1.6) with ESMTP id LAA29715
for <java-security-external@doppio.eng.sun.com>; Wed, 28 Jul 1999 11:33:05 -0700 (PDT)
Received: from mail.java.sun.com (mail.javasoft.com [204.160.241.28])
by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id MAA18575
for <java-security-external@doppio.eng.sun.com>; Wed, 28 Jul 1999 12:32:51 -0600 (MDT)
Received: from postoffice.i-review.com (postoffice.i-review.com [207.86.34.130])
by mail.java.sun.com (8.9.0.Beta6+Sun/8.9.0) with ESMTP id LAA02010
for <java-security@java.sun.com>; Wed, 28 Jul 1999 11:26:05 -0700 (PDT)
Received: from chris-kayak ([172.16.0.173]) by postoffice.i-review.com
(Post.Office MTA v3.1.2 release (PO205-101c)
ID# 0-45093U100L100S0) with SMTP id AAA304;
Wed, 28 Jul 1999 14:33:12 -0400
Message-Id: <2.2.32.19990728193328.00d3b708@postoffice.i-review.com>
X-Sender: cforster@postoffice.i-review.com
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 28 Jul 1999 14:33:28 -0500
To: java-security@java.sun.com
From: "Christian M. Forster" <cforster@i-review.com>
Subject: Re: "Java Plug-In Security Warning" dialog working under 1.2.2
px (FCS)!
Cc: luehe@laguna.eng.sun.com, jerome.dochez@eng.sun.com,
Thomas.Ball@eng.sun.com, stanleyh@eng.sun.com
Content-Length: 1745

Hi All!

I'm sending this message to update people on this topic & to provide some
closure for this issue for 1.2.2 plug-in FCS.

After many trials & tribulations & much clarification from Jan, I'm pleased
to announce that I've been successful using RSA Netscape Obj Signing to sign
a JAR & having it properly display the "Java Plug-In Security Warning"
dialog under NN & IE using 1.2.2 FCS.

In the effort to close a security hole in 1.2.2 RC1's certificate chain
verification, the 1.2.2 FCS plug-in release requires an *exact* match of the
JAR signer's root CA certificate (fingerprint) with one in IE's CA store on
the executing platform. Just matching the public key is not sufficient, the
validity period, etc. must also match.

Thus, the problem I was experiencing was due to the proliferation of valid,
but different (expiring in 2004, 2018, 2028, etc.) Root CA certificates
(from the popular certificate provider I originally used) in various
incarnations of IE's CA store. Note, IE's CA store is used for verification
in the executing environment whether using Netscape or IE (see
http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html).

After purchasing and using a Thawte Netscape Obj Signing cert (available at
http://www.thawte.com/certs/developer/nsobjectsign.html), every execution
environment I've tried so far (WinNT 4 / IE 4 & NC 4.04, Win95 / IE 4 & NC
4.6) has successfully shown the dialog. I have yet to confirm other Win32
environs (Win98) & Solaris, but I've received confirmation from a Thawte rep
that the specific Root CA issued in their n.o.s. certs & for CA stores is
ubiquitous and should be in present in IE 4+ installs.

On to the next hurdle... Thanks to everyone for the help!

Best regards,
Chris

--Herd_of_Hippopotamuses_770_000--