About X.509 publik key Certificates and all that stuff
According to the HISTORY OF SIGNATURE the earliest known signature from a well-known historical figure is that of nobleman and military leader "El Cid" of medieval Spain:
Why is this concept of signature so important? Because it lays the foundations for what we call a documented expression of TRUST. A document with a signature is to be trusted to express the will or the consent of the person that has signed this document. And the signature of a person who has been authorized by a trusted authority has the same power. This is made possible by the so-called CHAIN of TRUST:
So the whole chain of trust is based on the ROOT AUTHORITY. All these are also fundamental concepts of digital signatures. A signed electronic file is trusted to be secure because it has a certificate attached where the mathematical public key algorithms of its encryption are able to guarantee that nobody can falsify this certificate and that this certificate is traceable back to its root certificate.
But this signature functionality is only one side of the coin. Because if the signature is missing from an electronic file where there is expected to be a certified signature then this signature becomes the functionality of a SEAL. The Wikipedia article for "Seal" states: "The original purpose was to authenticate a document, a wrapper for one such as a modern envelope, or the cover of a container or package holding valuables or other objects.":
The intact seal guarantees that nobody has accessed the content of a sealed container with valuable information or that nobody has replaced the diamonds in the container with worthless pieces of glass. You see that for this functionality the trust in the seal's authenticity is important, but more important is its certified intactness. So if an electronic file has no certificate attached where we expect one then the probability is high that someone has changed that electronic file, maybe for a malicious purpose.
So, in summary we can depict the two main functionalities of a digital certificate as follows:
For this reason many organizations have a strict security-policy about the software programs used on their computers: Every program must have a proof of intactness and authenticity to protect it from being replaced by a malware-infected copy of the program. Another requirement is that this intactness and authenticity must be easily verifiable.
That's exactly the property of the PA-RUN EXE-SEAL introduced in its upcoming PA-RUN version 2.0: A Public Key Certificate self-signed by the user and used to sign programs with a proven trust. The following steps are implemented:
- The user needs to use a specific program which unfortunately has no digital signature (as shown by the PA-RUN Security Icon: ), while he must follow the requirements of his organization's security policy.
- The user clicks on this icon : PA-RUN then asks the user to create a self-signed PA-RUN EXE-SEAL Certificate which can be done with a simple mouse-click after having answered a few questions. (This must be done only ONCE, as the PA-RUN EXE-SEAL certificate is then automatically stored in the PA-RUN data folder and can be used in the future to sign unsigned programs).
- The user then gets a proof that this program is not infected by any malware, e.g. by clicking on the PA-RUN Virus-Check Security Icon: or or by using another AV-scanner. This step is very important, as the trust of the PA-RUN EXE-SEAL Certificate is based on this step.
- The user then signs the unsigned program with the PA-RUN EXE-SEAL Certificate which requires a simple mouse-click.
- From now on, each time the user loads this program in PA-RUN (e.g. by dropping its start-menu icon on the PA-RUN window) the PA-RUN EXE-SEAL Icon is shown. This gives the user the guarantee that this program has not been infected by any malware or by a a hacker after being signed with the PA-RUN EXE-SEAL Certificate: If only one single bit of the program file has been changed then the PA-RUN EXE-SEAL is broken and again shows the "Unsigned" Security Icon:
- PA-RUN also keeps track of the programs signed with the PA-RUN EXE-SEAL, so if a previously signed program has lost its PA-RUN EXE-SEAL then PA-RUN warns the user with this icon: