That’s just because they have forbidden it administratively. Technically it is no problem at all. And since we/you are inventing a totally new use case here, we can, of course, use simple and omnipresent SSL certificates for it.
Precisely.
For what it’s worth:
- I have put an example, minimal JSON file with my currently used main addresses at https://heptasean.de/.well-known/cardano/addresses.json.
- I could sign it on the server without problem with the command
sudo openssl dgst -sha512 -sign /etc/letsencrypt/live/heptasean.de/privkey.pem -out addresses.json.sha512 addresses.json, leading to the signature file https://heptasean.de/.well-known/cardano/addresses.json.sha512. - From anywhere, I can now verify this by:
$ wget https://heptasean.de/.well-known/cardano/addresses.json
$ wget https://heptasean.de/.well-known/cardano/addresses.json.sha512
$ echo "Q" | openssl s_client -showcerts -servername heptasean.de -connect heptasean.de:443 | openssl x509 -pubkey -noout > heptasean.pub
$ openssl dgst -sha512 -verify heptasean.pub -signature addresses.json.sha512 addresses.json
Verified OK
You are confusing certificates and private keys, here. The certificate is the file signed by the certificate authority that contains the information about the certified entity. Without it, a signature (of code or of a file with Cardano addresses) is worthless. Anybody could sign it. The signature is only worth something if the certificate tells me who signed it.
No, they bought a three-year certificate expiring in July 2022 for 664 USD/year from DigiCert.
I don’t have a Windows. But running as admin just to check a digital signature seems ill-advised. Can’t you just right-click and look in the “Digital Signatures” tab of the properties?
Found a tool that checks the signature on Linux, though:
$ osslsigncode verify /tmp/daedalus-4.8.0-mainnet-20689.exe
Current PE checksum : 13CA11F6
Calculated PE checksum: 13CA11F6
Signature Index: 0 (Primary Signature)
Message digest algorithm : SHA256
Current message digest : 58CDF18F562342CB1B39250A062D28109B28EE2E0B2C9495D69E16EC45302E3D
Calculated message digest : 58CDF18F562342CB1B39250A062D28109B28EE2E0B2C9495D69E16EC45302E3D
Signer's certificate:
Signer #0:
Subject: /jurisdictionC=HK/businessCategory=Private Organization/serialNumber=2209898/C=HK/L=Hong Kong/O=Input Output HK Limited/CN=Input Output HK Limited
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
Serial : 0CC7B8B8E15F0B939456A20BFD5132CD
Certificate expiration date:
notBefore : Jul 11 00:00:00 2019 GMT
notAfter : Jul 6 12:00:00 2022 GMT
[…]
As you can see, the certificate is contained, and it is a three-year certificate by DigiCert.
Point still stands:
- EV certificates are much too expensive for this use case. For TLS, nobody uses them, anymore. For code signing, they are used in the Windows world.
- We could use standard SSL certificates.
- But I would think putting the list of addresses on website and DNS is enough and signing is not necessary.
- Putting signatures or certificates in an NFT is just wrong. If they are used, they should reside at a website.