Re: trusted identities

David Brownell (David.Brownell@Eng)
Tue, 29 Apr 1997 14:04:03 -0700

Date: Tue, 29 Apr 1997 14:04:03 -0700
From: David.Brownell@Eng (David Brownell)
Message-Id: <199704292104.OAA11378@argon.eng.sun.com>
To: Mark.Bordas@East, mrm@Eng
Subject: Re: trusted identities

Another set of issues is that although X509v1 certainly supports
cert chaining (and it's relied on for SSL :-), we don't have CAs
who will cut DSA certs yet. Yet it's DSA that's used in the code
signing support today! So support for CAs in code signing can't
be well developed yet. I'm not sure the models Microsoft and
Verisign worked out are the best ones, though they're a start.

- Dave

> From mrm@Eng Tue Apr 29 13:30:37 1997
> Date: Tue, 29 Apr 1997 13:29:04 -0700
> From: Marianne Mueller <mrm@Eng>
> To: Mark.Bordas@East
> CC: java-security@web2.javasoft.com
> Subject: Re: trusted identities
>
> That's intentional in JDK 1.1, but the identity database will evolve
> for JDK 1.2 to use X.509v3 certs, and to separate the notion of the
> cert database from the Java runtime's internal notion of identities.
>
> Also there will not be the trusted/untrusted attribute for an
> identity. Permissions will be granted to a signer based on
> externally configured policy. Permissions are fine-grained.
>
> Marianne
>

----- Begin Included Message -----

>From Mark.Bordas@East Tue Apr 29 13:27:28 1997
Date: Tue, 29 Apr 1997 16:24:48 -0400 (EDT)
From: Mark Bordas <Mark.Bordas@East>
Subject: trusted identities
To: java-security@web2.javasoft.com
Content-MD5: KCF+xa9cbggVzNtgnAvihw==

I noticed that in order for a signed applet to run, the identity
must be trusted - even if the certificate is not self-signed
and the issuer *is* trusted. In other words, all identities
must be trusted, and who the issuer is is irrelevant. Is this
intentional or likely to change at some point in the future?

mark

----- End Included Message -----