December 16, 1996 10 AM ET

Code signing's new Signature
W3C leading industry toward standard digital signatures

By Michael Moeller

  Several industry heavyweights are eyeing a standard way to secure Internet software transfers, as the digital superhighway becomes a more common mode of application deployment and distribution.

The W3C (World Wide Web Consortium) is corralling Microsoft Corp., JavaSoft, Netscape Communications Corp., Oracle Corp., IBM, AT&T Corp. and several others to craft a method for digitally signing and authenticating Java applets and ActiveX controls.

A draft of the Digital Signature Initiative is due to be announced at the end of next month, after which all vendors involved will begin work on implementing it in trial systems, said Philip DesAutels, project manager for the initiative for the W3C, based in Cambridge, Mass.

The technology will be encryption protocol-neutral and will support such digital signature standards as PCKS#7 and X.509v3, said officials. The new system also will support the Platform for Internet Content Selection rating system.

The initiative fills a gap for a common "trust system" for knowing who created a downloadable piece of software, why it was created and what it can do to a user's computer, DesAutels said. In addition, it goes a step beyond Microsoft's Authenticode, a common form of code signing that enables Java applets or Active X controls to be signed by their author to establish accountability.

Netscape and JavaSoft are putting the final touches on co-developed technologies called JAR (Java Archive Format) and Java security APIs, which sign only Java applets, JavaSoft and Netscape officials said.

Microsoft, JavaSoft and Netscape officials all pledged to support any standard as long as it was implemented in an open way.

"We are closely working with the W3C, and once a standard method for signing code is completed, we will take a look at how it fits with Authenticode and see how soon we are able to get the new standard into our products," said John Brown, program manager for electronic commerce at Microsoft, in Redmond, Wash. "From what we can see, there is not a lot of work that has to be done, so supporting the standard will not mean we have to rebuild our technology."

Netscape and JavaSoft officials added that they too are closely watching what the W3C comes up with, but they feel that for the time being it is important to get products out the door that provide additional security beyond current Java security.

"Our code-signing format, jointly spec'd and developed with Netscape, is likely to be our input to the W3C group," said Li Gong, Java security architect at JavaSoft. "The format is flexible and extensible."

The W3C's Digital Signature Initiative promises to circumvent any proprietary code-signing method from becoming too well-established and will allow methods such as Microsoft's Authenticode to work within the standard.

The standard promises to provide a mechanism to allow independent software testing centers or companies to check the code for viruses or bugs and create a rating system that could be adopted by corporations or users, said DesAutels.

If a user adopted a specific rating system, it would be embedded into his or her browser. Then, when a user attempts to download an applet, the code would search for the applet's virtual certification and either run the applet or deny access, said DesAutels.

Copyright(c) 1996 Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. PC Week and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC Week Online and the PC Week Online logo are trademarks of Ziff-Davis Publishing Company.

Send mail to PC Week