Re: Certificate chaining w/javakey generated DSA certificates

Jan Luehe (Jan.Luehe@Eng)
Wed, 17 Sep 1997 10:48:47 -0700 (PDT)

Date: Wed, 17 Sep 1997 10:48:47 -0700 (PDT)
From: Jan Luehe <Jan.Luehe@Eng>
Subject: Re: Certificate chaining w/javakey generated DSA certificates
To: java-security@web2.javasoft.com, gchung@openhorizon.com

George:

> a) I created a certificate for Foo certified by CA and installed it in
> the Indentitydb on machine A.

> I would have expected that although Foo was trusted, the local
> environment would have no way of verifying that Foo's certificate
> (which is used to verify the signature on the jar) is itself valid
> since chaining is not supported.

You need not follow up the chain, if you already trust
the signer's public key, which is provided (as a certificate)
in the PKCS#7 formatted signature block file of the jar file.

If the signature verifies, and the signer's public key is stored
in your identity database as "trusted", you're done.

Of course, it is assumed that before you stored the signer's
public key in your identity database, you verified the certificate
that it came with.

Jan