Re: Questions about code signing cert.

Discussion in 'Java' started by Jacob, Jul 14, 2003.

  1. Jacob

    Jacob Guest

    Martin Chan wrote:


    > 2. What will happen when if people use my application after my
    > certificate has expired?


    After the expiration date the certificate
    cannot be used to sign applications.

    The date has no implications for the execution
    of already signed applications.
    Jacob, Jul 14, 2003
    #1
    1. Advertising

  2. If you are talking about using the certificate to sign code
    for JavaPlugin deployment, the Security Warning on applet
    startup will advise you that the certificate has expired (JavaPlugin 1.3.1+),
    but you can choose to allow it to run. (earlier plugins would not allow the
    applet to run at all!).

    Since jarsigner does not timestamp the jar archive, the verification process
    cannot determine if the signature was generated potentially (via hacking) after
    the cert was expired. Hence the warning.

    - Mitch Gallant
    http://pages.istar.ca/~neutron

    "Jacob" <> wrote in message news:...
    > Martin Chan wrote:
    >
    >
    > > 2. What will happen when if people use my application after my
    > > certificate has expired?

    >
    > After the expiration date the certificate
    > cannot be used to sign applications.
    >
    > The date has no implications for the execution
    > of already signed applications.
    >
    >
    >
    >
    >
    >
    >
    Michel Gallant, Jul 14, 2003
    #2
    1. Advertising

  3. Jacob

    Roedy Green Guest

    On Tue, 15 Jul 2003 10:02:36 +0800, Martin Chan
    <> wrote or quoted :

    >How can I timestamp the jar file signed by jarsigner?


    You signed the jar with your cert. This mean YOU stand by the
    timestamps in the jar. If you want the timestamp of the jar as a
    whole to be certified by someone more trusted, you would have to send
    the document to them, or at least a digest of the document, and have
    them digitally sign it with their private key.

    Try certum http://time.certum.pl/ they offer a free timestamping
    service.

    --
    Canadian Mind Products, Roedy Green.
    Coaching, problem solving, economical contract programming.
    See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
    Roedy Green, Jul 19, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. gerry

    code signing in 2005

    gerry, Feb 28, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    434
    gerry
    Feb 28, 2006
  2. Roedy Green
    Replies:
    1
    Views:
    394
    Dale King
    Jul 15, 2003
  3. Roedy Green

    Applet signing Questions

    Roedy Green, Aug 12, 2005, in forum: Java
    Replies:
    2
    Views:
    449
    Pete Barrett
    Aug 12, 2005
  4. David Chan via .NET 247
    Replies:
    1
    Views:
    338
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
  5. Jean

    Code signing

    Jean, Feb 1, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    135
    Henning Krause [MVP]
    Feb 1, 2006
Loading...

Share This Page