[ale] Java Code Signing Certificates?
Jason Day
jasonday at worldnet.att.net
Tue Jan 31 14:59:26 EST 2006
On Tue, Jan 31, 2006 at 09:07:56AM -0500, Christopher Fowler wrote:
> This is a good question. I'll be following this thread.
> We have an applet on our Tomcat server that many of our customers as
> asked us if that applet could gain access to the Windows clipboard. The
> only way I could see this being done is by a certificate. When I've
> pushed the numbers on them they decided that copy and paste was not
> worth that much dinero.
You can do this with a self-signed certificate. Jake Berner posted a
good reply with the relevant information for generating a self-signed
certificate.
When the Java plugin in the browser downloads a signed jar file, it
checks and verifies the certificate chain, and displays a dialog box
that lets the user decide whether to trust the code. If the certificate
that was used to sign the jar was issued by a trusted CA, like Verisign
or Thawte, the dialog box will say so. If, however, the code signing
cert was not issued by a trusted CA, then the dialog box will look a
little scarier, and it will explicitly say that the signature cannot be
verified by a trusted source. Similar to the dialog boxes you get in
mozilla or firefox if you visit an SSL web site that uses a self-signed
certificate.
Depending on your customer base, you could always have them verify the
certificate's footprint with you over the phone or by similar means.
HTH,
Jason
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
More information about the Ale
mailing list