Web Applet Certificate

[Barkster]

I have a web applet that I signed myself but I'm having issues with
some people not being able to figure out to accept it correctly and
select cancel and remember setting then make the applet inoperable. I
have a digital certificate for my website that I purchased from xramp.
How do I get this thing signed so it doesn't prompt. When I first
created I looked into signing it and thought it was about 1k to have it
signed?? Ouch. Are there any affordable options?? Thanks

 

[Andrew Thompson]

I have a web applet that I signed myself but I'm having issues with
some people not being able to figure out to accept it correctly and
select cancel and remember setting then make the applet inoperable. I
have a digital certificate for my website that I purchased from xramp.
How do I get this thing signed so it doesn't prompt.

No such thing is possible. If an all-permissions Web-Started
application or applet could get on-screen without any warnings
to, or questioning of, the client - that would be a security hole.

'sandboxed' JWS apps. are a different matter.

..When I first
created I looked into signing it and thought it was about 1k to have it
signed??

Your applet is already 'signed' if you signed it properly
with a self-signed certificate, it is just the your
certificate cannot be verified, whereas the sort of
'1k' certificates you are thinking of, can be (verified
back to the issuing authority).

..Ouch. Are there any affordable options??

The good news is, there are a number of sources of
free certificates that *are* verified. The Thawte 'freemail'
certificate is one such beasty. They generally have
a more generic name than the 'expensive' ones.

Ultimately though, the end-user will still be asked
if they wish to 'accept the code signed by..'

HTH

Andrew T.

 

[Barkster]

Ok, your right. I talked with thawte and they say the same thing. Is
there any advantage to getting it signed through thawte or something?
I have some users that select cancel instead of run and check remember
and then get all pissed cause it isn't working and I haven't found an
easy way to fix this other than having them go to control panel and
removing certifciate in java control panel.

Thanks

 

[Barkster]

How do you use that freemail certificate to sign a java app??

Thanks

 

[Andrew Thompson]

Ok, your right.

Who's right about what?
( This translates to - please refrain from top-posting )

...I talked with thawte and they say the same thing. Is
there any advantage to getting it signed through thawte or something?

The certificate can be verified - the warning presented
to the user is less oderous.

For further info., see this Blog article..

I have some users that select cancel instead of run and check remember
and then get all pissed cause it isn't working and I haven't found an
easy way to fix this other than having them go to control panel and
removing certifciate in java control panel.

Same deal with the verified certificate, the only
difference being that your end user is slightly less
likely to 'permanently refuse' a verifiable certificate.

And in reply to the question on your next post..
Approximately "how to use freemail certificate?"

I don't know - I've only ever used a self-signed certificate.

Andrew T.

 

[Barkster]

Sounds like I ought to look into options other than self signed.
Thanks for clearing that up.

 

[Thomas Hawtin]

The good news is, there are a number of sources of
free certificates that *are* verified. The Thawte 'freemail'
certificate is one such beasty. They generally have
a more generic name than the 'expensive' ones.

Fortunately that security flaw is fixed in later version of Java (not
exactly sure from which version). So you now have to pay for certificate
vendors detailed verification of your company name (such as Click here
or Microsoft Corporation).

Recently unsigned WebStart apps have ceased to be able to request an
older version of Java. Presumably it the current version checks the
certificates, so you can't get around it anyway.

In any case, I would strongly advise anyone to avoid trusting code that
happens to be signed.

Tom Hawtin