Re: Signing Applet with cert from Thawte

Jan Luehe (Jan.Luehe@eng.sun.com)
Tue, 15 Jun 1999 08:48:10 -0700 (PDT)

Date: Tue, 15 Jun 1999 08:48:10 -0700 (PDT)
From: Jan Luehe <Jan.Luehe@eng.sun.com>
Subject: Re: Signing Applet with cert from Thawte
To: Heid Joern <heid@integraliscentaur.de>
In-Reply-To: "Your message with ID" <902B574B9DBED211BAA60008C79FE49B06B0DC@exchange.centaur.de>

Heid:

> In JDK1.2.2 Thawte is a valid CA, isn't it?

Yes, a number of Thawte certs are shipped with the system
CA keystore (located in the jre/lib/security/cacerts file).

When you buy a certificate from Thawte and try to import
the certificate reply (chain) returned by the Thawte CA into your keystore
(using "keytool -import"), "keytool" will attempt to verify that chain
all the way up to its root CA.

If you specify the "-trustcacerts" option when you import the
certificate reply into your keystore, "keytool" will check if
the root CA of your reply chain is contained in the system's "cacerts" file,
and if so, consider the certificate reply chain as authenticated
and store it in your keystore.

When you sign an applet with the corresponding private key,
the certificate chain will be attached to the applet signature.

> Does this mean that when I sign my applet with a cert bought from Thwate,
> the 1.2.2 plugin will trust it?

Yes, but it will use the browser's native database of trusted root CAs
in order to authenticate the applet's signature.

> Is there an example for that?
> Will there be a window for granting the ressources like the ones in Netscape
> or Microsoft browsers?

Yes, the plug-in classloader will pop up a window and display the
applet signer and ask the user if they want to grant the applet
the special "AllPermission", which implies every other permission.
>
> It's quite difficult to use the identity.obj...

In the above scenario, you won't have to preconfigure any keystore
or policy files.

Hope that helps.

Jan