Anyang Ren wrote: > On 6/14/06, Anthony Lieuallen <[EMAIL PROTECTED]> wrote:
>> But, no matter how I import a certificate, I can't get "signtool -l" to >> list that as one that I can sign things with. It will list a testing >> cert made with "signtool -G" and then "certutil -L" says "u,u,Cu" for >> that testing cert, but the same permission on import of a real cert >> produces "G,,C". > > Is "G" a valid trust attribute? It's not documented in the certutil man page > http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1034193. Yes, it is, but signtool shouldn't set it on his cert until Anthony asks it to do so. Can't tell from the above info if he did that or not. >> So. Is there something special about certs that can be used to sign >> objects? > > I hope you're using "certs" as an informal shorthand for "certs or the > associated private keys". It's the private keys that can be used to sign > objects. When I first replied to Anthony's email, I overlooked the word "objects" at the end of his sentence. So, I should extend my answer slightly to cover that. You need a private key to sign *anything*, but to sign "objects" (that is, executable code), you need a cert that is issued by a CA that is trusted to issue certs for that purpose. Some CAs issue only SSL server certs, other issue only email certs, and still others only issue certs for "code signing" or "object signing" (which are similar in purpose to each other, but not quite the same). Most CAs that issue code signing certs do a little more "assurance" checking than CAs that issue other types of certs (e.g. email certs), and so they may cost a little more. At the moment, I'm not equipped with a list of CAs that issue code signing certificates. Maybe someone else on this list can do that. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
