Obtaining a Digital Certificate

As mentioned earlier, you can obtain a certificate from a commercial authority such as Verisign, Inc. For internal certificates you can turn to your security administrator or Digital Certificate group, or you can create your own certificate using the Selfcert.exe tool.

You need to be aware that if you create your own certificate, Access will still generate the macro security warning when your signed database is opened on a computer other than the one where the certificate was created (High or Medium security). This happens because Microsoft considers this to be a self-signed database.

The trouble with self-certification is that the certificate isn't trusted because it is not in the Trusted Root Certification Authorities store. This means that if your certificate isn't registered so that Microsoft Authenticode technology can determine its authenticity, the certificate will get a crosswise look. And the reason for this is that a digital certificate you create can be imitated. Which means that someone can mimic your certificate and sign a database with it. Then if you have trusted a digital certificate that has been mimicked, a database signed with that certificate will open. So, if that database contains malicious code, it could execute that code. This brings up two important issues:

□ If a certificate you create can be imitated, what kind of security do you really get?

□ If your certificate won't be trusted on another computer, why bother creating your own certificate?

We'll discuss how you can use self-certification in the next section. Let's take the imitation question now.

A certificate is nothing more than a digital document. As with any digital document it can be copied, replicated, or otherwise imitated. However, Microsoft's Authenticode technology is able to determine authenticity of the certificate if, and only if, it is in a Trusted Root Certification Authorities store.

Therefore, using self-certification is a solution that should only be considered if your databases will only be used behind the security of a firewall, with virus software, for protection. If your database, and therefore your certificate, will be made publicly available, such as through the Internet, you will be putting your certificate out where someone could copy it. They could then attach the copy to a database with malicious code and send that database back to you, or worse yet on to other users who could think the database is from you. If the certificate has been on the computer that is opening the database, that database will be trusted. The database will open and the malicious code will be executed.

If you are interested in acquiring a commercial certificate, the Microsoft Developer's Network has list of root certificate program vendors at: http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/dnsecure/html/rootcertprog.asp. When you are looking for a vendor to supply a certificate, you need one that provides a certificate for code signing or that works with Microsoft Authenticode technology.

Was this article helpful?

0 0

Post a comment