Re: JPI Trust Managment Model

Jan Luehe (luehe@laguna.eng.sun.com)
Tue, 5 Jan 1999 15:58:21 -0800 (PST)

Lance:

> A colleague of mine forwarded me the following response that this group
> has given him. What I wanted to clarify is, will this work if I use my
> Verisign code signing certificate (for IE or Netscape) along with
> Netscape's signtool and MS's signcode?

Yes, this will work.
I have tried it with our Verisign code signing certificate using
Netscape's signtool.

Jan

------------------------------------------------------------------------

> When I asked them a similar question, I got the following answer from
SUN:
>
> > As I understand from the information currently on your website,
there is
> > no way for a developer to deploy a signed java applet to be used
with
the
> > java plugin, in such a way that a user that encounteres this applet
will
> > be prompted to validate the certificate attached to it
automatically.
> > To my understanding, the user will have to invoke some additional
> > commands (such as keytool) so that the applet can work with full
> > permissions.
> >
> > Is that so?
>
> Yes. In the existing approach, the applet signer's certificate
> must be configured in the policy and supporting keystore in
> order for the signed applet to be granted special permissions
> (the ones listed in the policy).
>
> > If not - any documents describing it?
> >
> > If so - Do you intend to change that in the future?
>
> The next version of the Plug-in (which will go beta early next
> year) will verify the entire applet certificate chain if the applet
> signer is not configured in the policy/keystore.
> Verification will go all the way up to the root CA in the chain
> and check if that root CA is configured as a trusted CA in
> Netscape/IE.
> If so, the user will be prompted if they want to grant the special
> "AllPermission" (which implies every other single permission)
> to the applet (binary policy decision).
>
> Jan
>
> *************** Original message
>
> Michael Weksler wrote in message
<753cbb$6b0$1@news.netvision.net.il>...
> >hi
> >
> >I am trying to use a signed JAR with JDK 1.2 and Java Plugin to write
a
> file
> >on the user's machine.
> >
> >It appears that a user who wishes to use the applet needs to:
> >
> >1. Define a policy specifically for the applet.
> >2. Import the certificate that I sent him with the JAR.
> >
> >before the applet can be "trusted" and gain access to those system
> >resources.
> >These operations involve using a command line tool (keytool) and an
ugly,
> >GUI based, not-very-friendly application (policytool), both supplied
by
SUN
> >with JRE 1.2
> >
> >My question is:
> >
> >Has anybody done it in an "automatic" way, e.g. a popup like the one
that
> >comes up in IE4 when an ActiveX control is being downloaded, or
similar?
> >
> >mich.
> >
> >
>
>
>
------------------------------------------------------------------------

Thanks,

--
==>Lancer----

Digital Certificate attached to the end of this message.