Home > Archive > Java Security > April 2004 > Java Webstart and expired certificate in signed jar files
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Java Webstart and expired certificate in signed jar files
|
|
| Erik Turesson 2004-04-20, 4:45 am |
| Hello!
I am planing to deploy my application using Java Webstart.
To be sure that the user does not manipulate my code and
configurationfiles I whant to sign my jar files.
As I have understood Java Webstart will not start the application if
the jarfile have been modifed after it has been signed.
But what happens when the certificate expires?
Will it still work when the certificate expires?
I am not interrested in geting any extra accessrights on the users
computer.
All I whant is to be sure that the jarfile is not modified since I did
sign it.
/Erik
| |
| Roedy Green 2004-04-20, 7:41 am |
| On 20 Apr 2004 00:21:52 -0700, erik.m.turesson@home.se (Erik Turesson)
wrote or quoted :
>But what happens when the certificate expires?
>Will it still work when the certificate expires?
In that case, or if you use a phony cert, JWS will ask the user, do
you REALLY want to run this? I recommend against it.
With JWS you have autoupdate, so presumably you release new jars
signed with a new cert before the old one expires, even if you don't
change the code.
Users now are getting used all the time to accepting phony SSL certs,
even from Sun. Persuading users to accept a phony cert is not the
same problem it was before.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Michel Gallant 2004-04-20, 9:43 am |
| While not backward compatible with earlier versions of JavaPlugin,
Java v 1.5 (check out the docs on v1.5 bets)
will support time-stamping which means that JavaPlugin (I
think this includes JWS) will know if the JAR was signed while the
cert was still valid, and will not warn even after the cert was expired, if
signed when the cert was valid.
The same time-stamp support has been supported by Windows/Microsoft
Authenticode for several years now natively on WinOS.
- Mitch Gallant
www.jensign.com
"Erik Turesson" <erik.m.turesson@home.se> wrote in message
news:75cb3e54.0404192321.40c74a86@posting.google.com...
> Hello!
>
> I am planing to deploy my application using Java Webstart.
> To be sure that the user does not manipulate my code and
> configurationfiles I whant to sign my jar files.
>
> As I have understood Java Webstart will not start the application if
> the jarfile have been modifed after it has been signed.
>
> But what happens when the certificate expires?
> Will it still work when the certificate expires?
> I am not interrested in geting any extra accessrights on the users
> computer.
> All I whant is to be sure that the jarfile is not modified since I did
> sign it.
>
> /Erik
|
|
|
|
|