[ale] Java Code Signing Certificates?

[Jason Day]

On Tue, Jan 31, 2006 at 09:07:56AM -0500, Christopher Fowler wrote:
> This is a good question.  I'll be following this thread.  
> We have an applet on our Tomcat server that many of our customers as
> asked us if that applet could gain access to the Windows clipboard.  The
> only way I could see this being done is by a certificate.  When I've
> pushed the numbers on them they decided that copy and paste was not
> worth that much dinero.

You can do this with a self-signed certificate.  Jake Berner posted a
good reply with the relevant information for generating a self-signed
certificate.

When the Java plugin in the browser downloads a signed jar file, it
checks and verifies the certificate chain, and displays a dialog box
that lets the user decide whether to trust the code.  If the certificate
that was used to sign the jar was issued by a trusted CA, like Verisign
or Thawte, the dialog box will say so.  If, however, the code signing
cert was not issued by a trusted CA, then the dialog box will look a
little scarier, and it will explicitly say that the signature cannot be
verified by a trusted source.  Similar to the dialog boxes you get in
mozilla or firefox if you visit an SSL web site that uses a self-signed
certificate.

Depending on your customer base, you could always have them verify the
certificate's footprint with you over the phone or by similar means.

HTH,
Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9