JPI Trust Managment Model

Lance Kind (lancer@fc.hp.com)
Wed, 23 Dec 1998 14:43:11 -0700

This is a cryptographically signed message in MIME format.

--------------ms7E8C0062A7E171F64695255C
Content-Type: multipart/mixed;
boundary="------------028C894DAEF72B0DC6BFE161"

This is a multi-part message in MIME format.
--------------028C894DAEF72B0DC6BFE161
Content-Type: multipart/alternative;
boundary="------------F8EA608010E45177E0CA387B"

--------------F8EA608010E45177E0CA387B
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

A colleague of mine forwarded me the following response that this group
has given him. What I wanted to clarify is, will this work if I use my
Verisign code signing certificate (for IE or Netscape) along with
Netscape's signtool and MS's signcode?
------------------------------------------------------------------------

> When I asked them a similar question, I got the following answer from
SUN:
>
> > As I understand from the information currently on your website,
there is
> > no way for a developer to deploy a signed java applet to be used
with
the
> > java plugin, in such a way that a user that encounteres this applet
will
> > be prompted to validate the certificate attached to it
automatically.
> > To my understanding, the user will have to invoke some additional
> > commands (such as keytool) so that the applet can work with full
> > permissions.
> >
> > Is that so?
>
> Yes. In the existing approach, the applet signer's certificate
> must be configured in the policy and supporting keystore in
> order for the signed applet to be granted special permissions
> (the ones listed in the policy).
>
> > If not - any documents describing it?
> >
> > If so - Do you intend to change that in the future?
>
> The next version of the Plug-in (which will go beta early next
> year) will verify the entire applet certificate chain if the applet
> signer is not configured in the policy/keystore.
> Verification will go all the way up to the root CA in the chain
> and check if that root CA is configured as a trusted CA in
> Netscape/IE.
> If so, the user will be prompted if they want to grant the special
> "AllPermission" (which implies every other single permission)
> to the applet (binary policy decision).
>
> Jan
>
> *************** Original message
>
> Michael Weksler wrote in message
<753cbb$6b0$1@news.netvision.net.il>...
> >hi
> >
> >I am trying to use a signed JAR with JDK 1.2 and Java Plugin to write
a
> file
> >on the user's machine.
> >
> >It appears that a user who wishes to use the applet needs to:
> >
> >1. Define a policy specifically for the applet.
> >2. Import the certificate that I sent him with the JAR.
> >
> >before the applet can be "trusted" and gain access to those system
> >resources.
> >These operations involve using a command line tool (keytool) and an
ugly,
> >GUI based, not-very-friendly application (policytool), both supplied
by
SUN
> >with JRE 1.2
> >
> >My question is:
> >
> >Has anybody done it in an "automatic" way, e.g. a popup like the one
that
> >comes up in IE4 when an ActiveX control is being downloaded, or
similar?
> >
> >mich.
> >
> >
>
>
>
------------------------------------------------------------------------

Thanks,

--
==>Lancer----

Digital Certificate attached to the end of this message.

--------------F8EA608010E45177E0CA387B Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> A colleague of mine forwarded me the following response that this group has given him.  What I wanted to clarify is, will this work if I use my Verisign code signing certificate (for IE or Netscape) along with Netscape's signtool and MS's signcode?



> When I asked them a similar question, I got the following answer from SUN:
>
> > As I understand from the information currently on your website, there is
> > no way for a developer to deploy a signed java applet to be used with
the
> > java plugin, in such a way that a user that encounteres this applet will
> > be prompted to validate the certificate attached to it automatically.
> > To my understanding, the user will have to invoke some additional
> > commands (such as keytool) so that the applet can work with full
> > permissions.
> >
> > Is that so?
>
> Yes. In the existing approach, the applet signer's certificate
> must be configured in the policy and supporting keystore in
> order for the signed applet to be granted special permissions
> (the ones listed in the policy).
>
> > If not - any documents describing it?
> >
> > If so - Do you intend to change that in the future?
>
> The next version of the Plug-in (which will go beta early next
> year) will verify the entire applet certificate chain if the applet
> signer is not configured in the policy/keystore.
> Verification will go all the way up to the root CA in the chain
> and check if that root CA is configured as a trusted CA in
> Netscape/IE.
> If so, the user will be prompted if they want to grant the special
> "AllPermission" (which implies every other single permission)
> to the applet (binary policy decision).
>
> Jan
>
> *************** Original message
>
> Michael Weksler wrote in message <753cbb$6b0$1@news.netvision.net.il>...
> >hi
> >
> >I am trying to use a signed JAR with JDK 1.2 and Java Plugin to write a
> file
> >on the user's machine.
> >
> >It appears that a user who wishes to use the applet needs to:
> >
> >1. Define a policy specifically for the applet.
> >2. Import the certificate that I sent him with the JAR.
> >
> >before the applet can be "trusted" and gain access to those system
> >resources.
> >These operations involve using a command line tool (keytool) and an ugly,
> >GUI based, not-very-friendly application (policytool), both supplied by
SUN
> >with JRE 1.2
> >
> >My question is:
> >
> >Has anybody done it in an "automatic" way, e.g. a popup like the one that
> >comes up in IE4 when an ActiveX control is being downloaded, or similar?
> >
> >mich.
> >
> >
>
>
>

Thanks,

--
==>Lancer----

Digital Certificate attached to the end of this message.
  --------------F8EA608010E45177E0CA387B-- --------------028C894DAEF72B0DC6BFE161 Content-Type: text/x-vcard; charset=us-ascii; name="lancer.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Lance Kind Content-Disposition: attachment; filename="lancer.vcf" begin:vcard n:Kind;Lance tel;fax:(970) 898 2838 tel;work:(970) 898 2699 x-mozilla-html:TRUE org:Hewlett Packard Co;Unix Development Lab adr:;;;Fort Collins;CO;80528;USA version:2.1 email;internet:lancer@fc.hp.com title:R&D Software Engineer note;quoted-printable:I am currently working on Java, CORBA, and=0D=0Agetting Java applications to run as Applets =0D=0Afrom within browsers such as Netscape and IE. x-mozilla-cpt:;-20832 fn:Lance Kind end:vcard --------------028C894DAEF72B0DC6BFE161-- --------------ms7E8C0062A7E171F64695255C Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIHoQYJKoZIhvcNAQcCoIIHkjCCB44CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BcQwggKDMIIB7KADAgECAgI7zzANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRo YXd0ZSBDb25zdWx0aW5nMSkwJwYDVQQLEyBUaGF3dGUgUEYgUlNBIElLIDE5OTguOS4xNiAx Nzo1NTE2MDQGA1UEAxMtVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIFJTQSBJc3N1ZXIgMTk5 OC45LjE2MB4XDTk4MDkyNDE0NTE0OFoXDTk5MDkyNDE0NTE0OFowQjEfMB0GA1UEAxMWVGhh d3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0GCSqGSIb3DQEJARYQbGFuY2VyQGZjLmhwLmNvbTBc MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDDEOCWiv+5E2wm5SZF76AA1su6SB/cTxRdatWXm1Fw pbLDNj/2FmgyftJb/maBMiEXOldGTXqkivu0lcUCvYS/AgMBAAGjVDBSMBEGCWCGSAGG+EIB AQQEAwIFoDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT+PmCc a4wPsNgzxsrGHliwcTi14DANBgkqhkiG9w0BAQQFAAOBgQBgpyPIdBF37bWiKff16NtZKvhc Spt85hLmWPuJCXXUiYIdEA5KdgBTJfH551BY2jeettJWqtvqmva0sNL6kztWLbposZjMfaGb yXb9JVbZ2QdolTxPNwY4cuD2HEQZNLoCeQLKNjNHdsNfrbMsB9mW7WzhVVbuD8B4vrw+kX+4 cDCCAzkwggKioAMCAQICAQowDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYD VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3Rl IENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24x JDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYc cGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05ODA5MTYxNzU1MzRaFw0wMDA5MTUx NzU1MzRaMIG5MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQH EwtEdXJiYW52aWxsZTEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKTAnBgNVBAsTIFRo YXd0ZSBQRiBSU0EgSUsgMTk5OC45LjE2IDE3OjU1MTYwNAYDVQQDEy1UaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgUlNBIElzc3VlciAxOTk4LjkuMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMSl5dTU0F8IAu4HIX0kv6trjh7rIAcCFYRrj9CTJB8bne5osrksT+mTZxcQFx6h +UNBI7kwqnaXu/Pn/YHAtTGL9qZQJlTylSjrGaQelx6w4ribwQSaMtA8CWxP5DVP8Ha/ABMD T0UIYPP8tNCQAYoSyZy6f1LqKpM1Njw85DUvAgMBAAGjNzA1MBIGA1UdEwEB/wQIMAYBAf8C AQAwHwYDVR0jBBgwFoAUcknCczTGVfQLdnKBfnf0h+fGsg4wDQYJKoZIhvcNAQEEBQADgYEA LMeCHwFDPgeP7mlcqWSC+MCWrZMry5tQ10CagcK6pnadPJVA3FXB4VWCeasKKabVDOFXKD6P +bvV3w2TWKpbLYuPM+TdWBU1dnIVKb1C9FqSC3dfnSfbmi1OG4IGjtKNVruV3tsMZQXelZ4C 3VMXvr78a8MaInoUK2G9wp9eeloxggGlMIIBoQIBATCBwDCBuTELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRo YXd0ZSBDb25zdWx0aW5nMSkwJwYDVQQLEyBUaGF3dGUgUEYgUlNBIElLIDE5OTguOS4xNiAx Nzo1NTE2MDQGA1UEAxMtVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIFJTQSBJc3N1ZXIgMTk5 OC45LjE2AgI7zzAJBgUrDgMCGgUAoH0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq hkiG9w0BCQUxDxcNOTgxMjIzMjE0MzEyWjAeBgkqhkiG9w0BCQ8xETAPMA0GCCqGSIb3DQMC AgEoMCMGCSqGSIb3DQEJBDEWBBQFRETKAsKeAnOBfLp76UfS2eps6TANBgkqhkiG9w0BAQEF AARAc+k3g+6W+7wUYEz4k2LdPch4GnG20NQgzfpLD1xidD6vDXA0x6AvmLWLq+srh/pQZ+ae wT5epVc8FV8+AZ+Khw== --------------ms7E8C0062A7E171F64695255C--