Signing applets to load from any server

[luke]

I am working for a company which presently distributes its applets in
Microsoft .CAB files, signed using a Thawte certificate. These applets
are installed along with the server-side components on client servers
for their use.

I have been working to convert the applets to Sun Java and Swing, and
now we are just about ready to deploy them, but we have hit a snag.
Thawte expect us to give a full host identifier with our CSR, and for
us to deploy the applets only from the specified server. Obviously,
this is out of the question for us.

Can anybody suggest a solution? Is there such a thing as a code signing
certificate which can be served from any host/domain?

TIA for any info,
Luke

 

[Andrew Thompson]

....Is there such a thing as a code signing
certificate which can be served from any host/domain?

Are you sure that these 'specific domain' certs. do *not*
work off every domain? I find the idea rather extraordinary,
even for Thawte (whom I consider to be 'highway robbers').

Andrew T.

 

[luke]

Are you sure that these 'specific domain' certs. do *not*
work off every domain?

Yes, they're very specific about that. And I can see the sense in it,
even though it causes me problems. What better way to verify the
identity of the source of an applet?

I find the idea rather extraordinary,
even for Thawte (whom I consider to be 'highway robbers').

Hmm. Compared to Verisign, who own them, Thawte are very modest in
their demands. But that doesn't help me with my present difficulty, I'm
afraid.

Luke

 

[Dag Sunde]

Are you sure that these 'specific domain' certs. do *not*
work off every domain? I find the idea rather extraordinary,
even for Thawte (whom I consider to be 'highway robbers').

I believe the code signing certificate for signing MS .cab files
is quite a different animal that an ordinary
"Digital ID Class 3" that I use for "Java Object Signing".

With my "Class 3 ID" from Verisign (I have bought this from Thawte
too...), I can sign Applets and deploy them on any server I like.

 

[Andrew Thompson]

I believe the code signing certificate for signing MS .cab files

Oh, CAB files, right... (I missed that)

is quite a different animal that an ordinary
"Digital ID Class 3" that I use for "Java Object Signing".

With my "Class 3 ID" from Verisign (I have bought this from Thawte
too...), I can sign Applets and deploy them on any server I like.

Cool.

Luke - I hope you solve your conundrum, but remind
whoever made that decision, that the number of MSVM's
is fading every day, and the *best* advice a company
can give to users of the MSVM is to upgrade to a
VM that is not obsolete, insecure* and unsupported.

* There are differences in security behaviour between
the 3810 (final) build of the 1.1.4 MSVM and the
Symantec 1.1.5 VM that are a little worrying, at
the very least.

Personally, I'd launch any (trusted) applet using web
start and specifying Java '1.2+' - but maybe that's just me..

Andrew T.

 

[luke]

Oh, CAB files, right... (I missed that)


Cool.

Nice. I wish they'd make that clearer on their website. I'll keep it in
mind, and thanks.

Luke - I hope you solve your conundrum, but remind
whoever made that decision, that the number of MSVM's
is fading every day, and the *best* advice a company
can give to users of the MSVM is to upgrade to a
VM that is not obsolete, insecure* and unsupported.

Actually, we did end up solving it. Thawte told us how to convert the
existing certificate, by exporting it from IE, then importing it to
FireFox, then exporting it /again/. A pain, but it resulted in a
properly-formed Jar-signing certificate at the end.

* There are differences in security behaviour between
the 3810 (final) build of the 1.1.4 MSVM and the
Symantec 1.1.5 VM that are a little worrying, at
the very least.

Personally, I'd launch any (trusted) applet using web
start and specifying Java '1.2+' - but maybe that's just me..

Me too, except that these applets are only a part of a web-based
platform that is written largely in Javascript. Don't snigger, because
it works. Quite an achievement considering what it does, and the
difficulty of debugging Javascript. And no, I didn't write it.

In any case, we are getting off the MS JVM. Ready to take it live at
our first site next week!

Cheers,
Luke

 

[Andrew Thompson]

Andrew Thompson wrote: ....
Actually, we did end up solving it.

Glad to hear.

Me too, except that these applets are only a part of a web-based
platform that is written largely in Javascript. Don't snigger, because
it works. .....

I was almost about to add 'that strategy should
be fine for most users, and any applet that
doesn't require JS interaction' since interaction
with JS seems to be one of the last remaining
points to putting an applet in a web-page.

Andrew T.