Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / April 2004

Tip: Looking for answers? Try searching our database.

Java Webstart and expired certificate in signed jar files

Thread view: 
Enable EMail AlertsStart New Thread
Erik Turesson - 20 Apr 2004 08:21 GMT
Hello!

I am planing to deploy my application using Java Webstart.
To be sure that the user does not manipulate my code and
configurationfiles I whant to sign my jar files.

As I have understood Java Webstart will not start the application if
the jarfile have been modifed after it has been signed.

But what happens when the certificate expires?
Will it still work when the certificate expires?
I am not interrested in geting any extra accessrights on the users
computer.
All I whant is to be sure that the jarfile is not modified since I did
sign it.

/Erik
Reply to this Message
Roedy Green - 20 Apr 2004 09:54 GMT
>But what happens when the certificate expires?
>Will it still work when the certificate expires?

In that case, or if you use a phony cert, JWS will ask the user, do
you REALLY want to run this?  I recommend against it.

With JWS you have autoupdate, so presumably you release new jars
signed with a new cert before the old one expires, even if you don't
change the code.

Users now are getting used all the time to accepting phony SSL certs,
even from Sun.  Persuading users to accept a phony cert is not the
same problem it was before.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Michel Gallant - 20 Apr 2004 13:32 GMT
While not backward compatible with earlier versions of JavaPlugin,
Java v 1.5 (check out the docs on v1.5 bets)
will support time-stamping which means that JavaPlugin (I
think this includes JWS) will know if the JAR was signed while the
cert was still valid, and will not warn even after the cert was expired, if
signed when the cert was valid.

The same time-stamp support has been supported by Windows/Microsoft
Authenticode for several years now natively on WinOS.

- Mitch Gallant
  www.jensign.com

> Hello!
>
[quoted text clipped - 13 lines]
>
> /Erik
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.