FAQ. VeriSign Marimba Castanet™

When I download a piece of software over the Internet, my Castanet tuner shows me a VeriSign "certificate." What does this certificate mean?
Display of the VeriSign software publisher certificate provides end users with assurance of the identity of the individual or organization who published this piece of software and with assurance that the software has not been altered or tampered with since it left the software publisher. VeriSign maintains rigorous procedural and quality control standards in the authentication of publishers and in the creation, issuance, and maintenance of certificates. These standards are documented in the VeriSign Certification Practices Statement (CPS). For more information, please see www.verisign.com/repository/CPS.

Given this information and assurance, end users can make an informed decision about downloading this software from the Internet.

What kinds of content can I sign with Channel Signing IDs?^SM?
Any content distributed over a Marimba Castanet channel can be signed. Examples include: text, multimedia, JavaScripts, HTML pages, Java applets, Java applications, and Marimba Bongo presentations. Signed objects can be anything which will be distributed over a Marimba Castanet channel. Examples include: text, multimedia, HTML pages, Java applets, JavaScripts, plugins, or any other kind of code.

How do I sign content using Channel Signing IDs?
Signing code is a very quick process, and needs to be done only once, just before distribution. Software publishers can step through the code-signing process easily within a few minutes.

Signing a channel is easy once you receive your Channel Signing Digital ID from VeriSign. The Castanet Publisher helps you request and install your ID and then allows you to sign channels with it. However, it currently takes 3-5 days to issue new certificates; be sure to allow for this delay in your publishing schedule.

For publishers, content signing requires just nine steps: To sign a channel:

1. Download the latest version of Marimba's Castanet Technology (later than v1.1).

2. Start the Castanet publisher and set the normal publishing properties.

3. From the Security tab, click Request Certificate.

4. Apply for a Channel Signing Digital ID using the instructions in the wizard that appears. As part of the application process, VeriSign will ask a number of important questions about you and your organization, which it will use to authenticate your identity. Identity authentication is an involved, highly manual process. Once you have completed the application, it will take approximately 3-5 days to verify your information and issue a Digital ID.. At the end of this process, you will have both a VeriSign certificate and a private key that you must store securely. You will need both to sign your content.

5. After you receive your Channel Signing PIN, return to the Security tab in the Castanet publisher and click Install. You will need to provide the PIN that came in the email message from VeriSign. You must install your certificate using the same copy of the Castanet publisher application that you used during the request process. (At the end of this process, you will have both a VeriSign certificate and a private key that is stored securely. You will need both to sign your channels.)

6. Select your certificate from the certificate list and check the Enable Channel Signing checkbox. Select the appropriate channel signing options for the channel

7. Click Apply to save your changes. When you're ready to publish the channel, click Publish. The publisher sends your channel to your transmitter. Subscribers to your channel will see that the channel is signed and can examine your certificate.

8. Note: You will need to enroll for and install your Digital ID using the same copy of Marimba Castanet.

9. Sign your files
   Information on signing files using Marimba Castanet may be found in the Marimba HELP file.

I am a developer outside of the United States and Canada. How can I get a Channel Signing ID?
International commercial publishers can obtain a Digital ID from VeriSign, if they have a Dun & Bradstreet number or written, translated proof of company registration (e.g. Articles of Incorporation).

What can I do to speed up the issuance process?
Because Digital IDs are only issued after significant, and highly manual, authentication procedures, turn around times for these certificates are not immediate. Nevertheless, you can speed the process by:

• Using a proper Dun & Bradstreet DUNS number as your Organizational Proof of Right. (Almost ALL organizations have DUNS numbers. You can look yours up by going to www.dnb.com).
• Pay by credit card
• Check and re-check all information on your enrollment form for completeness and accuracy
• Make sure that the person who is chosen as the Organizational Contact is: a duly authorized employee of your organization, informed about Digital IDs, and easily available for contact. (We must speak directly with the organizational contact before issuing a Digital ID.)

Will Software Publisher Digital IDs purchased for use with Microsoft Authenticode work for Channel Signing?
Unfortunately, no. Due to technological differences between Authenticode, and Channel Signing, as well as differences in the security and authentication policies of Microsoft and Marimba, software publishers will need to obtain separate software signing certificates if they wish to sign code for Authenticode. VeriSign is actively investigating options for making these certificates interoperable.

Where are my private key and certificate stored?
You were prompted for a location to store your private key when you enrolled for your Digital ID. Most people choose to store a copy of their private key on a diskette which is kept in a secure location, with the extension *.p12

How can I view a channel signing certificate in the Castanet environment?
To view your certificate, you can view a certificate using the Castanet publisher or the Castanet tuner.

To view your certificate using the publisher:

• Open Castanet publisher
• Select any channel for editing
• Click the Security tab
• Select the cerificate you want to view
• Click View Certificate

To view a certificate using the tuner:

• Open the Tuner
• From the Channels tab, select a channel published with the certificate you want to view (signed channels have a pen icon in the channel security column)
• Select Channel Security from the Channel menu
• Click Certificate.

How long is a certificate valid? What happens once it expires?
A certificate is valid for one year. You can check the validity dates of your certificate by viewing the certificate. For more information on viewing a certificate, refer to "How can I view a channel signing certificate in the Castanet environment?" in this FAQ.

In addition, users attempting to download signed objects after the expiration date will be informed that the certificate has expired. In some cases, this will mean that, by default, they will not be able to download the signed objects. Therefore, in considering your product lifecycle, you will want to renew your Digital ID, and re-sign objects with it, on a regular basis. For your convenience, VeriSign will notify you three weeks before your ID is due to expire.

Is there timestamping associated with Channel Signing IDs ?
Not at this time. However, Marimba and VeriSign are exploring this option.

Is VeriSign offering Class 2 Individual Channel Signing IDs?
No. Given the nature of the Marimba Castanet product, we did not feel that a Class 2 ID would provide appropriate security for this environment.

How much are Channel Signing IDs ?
Channel Signing IDs are $400 each. There is no discount at this time for volume purchases.

• Digital ID is valid for one year
• Includes full-lifecycle services
• Includes $100,000 in NetSure protection.

What is NetSure?
NetSure is a program which guards against economic loss due to theft, impersonation, corruption or loss of use of a VeriSign Digital ID. This groundbreaking protection program for Internet commerce was developed with, and is backed by, one of the country's leading insurance underwriters - United States Fidelity & Guaranty Company (USF&G). For more details, please see www.verisign.com/repository/index.html

Where should I go if I have more questions?
For questions regarding the use of your Marimba Transmitter or Tuner, please call Marimba directly, or visit www.marimba.com/

For questions regarding your Digital ID, including installation, revocation, renewal, etc. please write to admin@adgrafics.net or call +38.038276551