 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / First Aid / July 2005JNLP & Web start & signing?
I signed my jar, created jnlp file which starts install procedure of my application. I expected that the user will be ask for pasword and other datas which I enter during the signing but I only got the dialog which ask the user if he trust me. Maybe I didn't got the point of jarsigner but I need some download protection which I hoped that jnlp stuffs will solve. > I signed my jar, created jnlp file which starts install procedure of my > application. [quoted text clipped - 3 lines] > Maybe I didn't got the point of jarsigner but I need some download > protection which I hoped that jnlp stuffs will solve. No. JWS is designed to protect the *end* *user*. It is not designed for 'copy protection'.  SignatureAndrew Thompson physci.org 1point1c.org javasaver.com lensescapes.com athompson.info Or Is It? >> I signed my jar, created jnlp file which starts install procedure of my >> application. [quoted text clipped - 6 lines] > No. JWS is designed to protect the *end* *user*. > It is not designed for 'copy protection'. And how end-user is protected when he only so my name and my signature? Is protected from what? >>> I signed my jar, created jnlp file which starts install procedure of my >>> application. >>> I expected that the user will be ask for pasword ... ... >> No. JWS is designed to protect the *end* *user*. >> It is not designed for 'copy protection'. > > And how end-user is protected when he only so my name and my signature? Is > protected from what? People who are *not* you. The end user only allows the code to run if they trust the person or company that signed it. There is som more information on 'trust', here.. <http://www.physci.org/install/security.jsp> SignatureAndrew Thompson physci.org 1point1c.org javasaver.com lensescapes.com athompson.info Mr Bender's Wardrobe By ROBOTANY 500 >>>I signed my jar, created jnlp file which starts install procedure of my >>>application. [quoted text clipped - 9 lines] > And how end-user is protected when he only so my name and my signature? Is > protected from what? When you sign with a certificate that certificate says that someone asserts that the name on the certificate is really the person owning that certificate. Consider if some big company like IBM wants to provide you with a program. They have a certificate from a certificate authority like Verisign. They had to provide proof to Verisign that they truly were who they said they were to get the certificate. When they sign a piece of code with that certificate then you know that they had that certificate and that the code really did come from IBM. Without the certificate some hacker could produce some malicious code and claim that it really is the program from IBM. But there is no way that the hacker could sign the code to say that he is IBM and have that certificate be issued by Verisign. The certificate basically tells you that the person who signed the code is really who they claim to be. If the code is malicious then you have some legal recourse against that person. The certificate has a chain back to some certificate authorithy. For that to be any good the certificate authority must be a trusted entity like Verisign or Thawte. In your case you are probably using a self-signed certificate which means you are your own CA. A self-signed certificate basically says I say that I am who I say that I am. That provides no real protection because anyone can claim to be anybody. A certificate from someone like Verisign however has been verified. They are making a legally binding claim that you truly are who you say that you are. SignatureDale King > They are making a legally binding > claim that you truly are who you say that you are. <loaded question> ..In what municipality is it legally binding? </loaded question> SignatureAndrew Thompson physci.org 1point1c.org javasaver.com lensescapes.com athompson.info LIVE From Omicron Persei 8 >> They are making a legally binding >> claim that you truly are who you say that you are. > > <loaded question> > ..In what municipality is it legally binding? > </loaded question> Actually - given I originally misread 'they' as the person/organisation getting the certificate (as opposed to *Verisign*), it does not make much sense. It is significantly different, in that the geographic locality of any legal actions against the CA is clear, or at least clearly stated. [ Oops! ] SignatureAndrew Thompson physci.org 1point1c.org javasaver.com lensescapes.com athompson.info Too Hot For Radio >>>They are making a legally binding >>>claim that you truly are who you say that you are. [quoted text clipped - 10 lines] > locality of any legal actions against the CA is clear, > or at least clearly stated. Legally binding may not still be a good way of saying it. What I meant was that there can be legal ramifications if they are wrong about such a claim. Therefore they do verification of your claim. SignatureDale King >>>>They are making a legally binding >>>>claim that you truly are who you say that you are. [quoted text clipped - 14 lines] > was that there can be legal ramifications if they are wrong about such a > claim. Therefore they do verification of your claim. Got it. Yes, I see where you're coming from. At the very least the CA's are putting their business reputation on the line. I was originally thinking of an end user of the certificate that might actually be some 'fly-by-night' virus distributor, as being the party most likely to vanish into thin air when the sh*t hit the fan. That is the only reason I honed in your mention of legalities. An *end* *user* of the certificate could (potentially) avoid legal ramifications. Both by anonymity, and dispute over what rules actually apply (is it in the place the CA exists/is registered, the place the certificate holder is ..or claims to be, ..or the place where an injured party has dragged them both into court?). Making fine distinctions over the legalities of the agreement (in attempts to avoid responsibility) is not something that makes much sense for a CA in the long term. Their business *depends* on a very public, trustworthy and consistent existence. SignatureAndrew Thompson physci.org 1point1c.org javasaver.com lensescapes.com athompson.info Transmitido en Martian en SAP Is Verisign some tool for signaturing? Can I use jarsigner tool from j2sdk? > Is Verisign some tool for signaturing? <http://www.google.com/search?hl=en&q=verisign> >..Can I use jarsigner tool from j2sdk? What does your research at Sun indicate? (my spoon is wearing down) SignatureAndrew Thompson physci.org 1point1c.org javasaver.com lensescapes.com athompson.info Not Affiliated With Futurama Brass Knuckle Co. > Is Verisign some tool for signaturing? Can I use jarsigner tool from j2sdk? No, they are a Certificate Authorithy. They issue certificates that have some authority behind them. Another such company is Thawte. You obviously still aren't quite getting it. Try googling for "digital certiicate tutorial" and see if that sheds some light on it. Then go through the Java tutorial on it: http://java.sun.com/docs/books/tutorial/jar/sign/index.html SignatureDale King Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.