pivot-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Summary of projects with client-side .jar's?
Date Wed, 09 Dec 2009 09:26:20 GMT
Greg Brown wrote:

>> Is the classloader complaining they aren't signed by the 'same' cert, or
>> just not signed by a trusted cert?
> The classloader will prompt the user to trust each different signer. For
> example, let's say that we sign the Pivot JARs with an ASF cert, and
> acme.com deploys an application that uses those JARs. The JAR(s)
> the acme.com app would be signed using the Acme cert, and the user would
> be prompted twice - once to trust the ASF JARs and again to trust the Acme
> JARs.
> This is probably not an ideal user experience - Acme's users don't
> necessarily need to know that parts of the application came from Apache
> - they just need to trust Acme. So, our assumption is that Acme would sign
> all the JARs used by the application, including the Pivot JARs, with their
> own certificate. This way, the user only gets prompted once, to trust
> acme.com.

Are you sure this is all set up correctly?

The point behind CA certificates is that by saying "I trust this CA, I
also trust any cert that this CA trusts", it removes the need to
explicitly ask the user to trust anything - the user has already told
you they trust your cert when the user trusted your CA cert.

All the JDKs I've ever used came with a blank certificate store - no CAs
were trusted at all. If such a blank certificate store was present, then
I would expect the application to ask me whether I trusted each cert in
turn, simple because no CA cert was present to have done this for me.

I suspect the reason the behaviour you describe exists is because the CA
cert isn't trusted. Ideally whatever container application you're trying
to run (Eclipse RCP? Tomcat? Something else?) should contain some kind
of user interface to ask the user whether they are willing to trust the
Verisign (etc) cert, or the software could come with a certificate
bundle already installed, like Firefox and friends do. I would imagine
if the certificate bundle was correctly configured with the Verisign CA
cert in it, your end user won't be asked anything at all.


View raw message