> As I understand from the information currently on your website, there is
> no way for a developer to deploy a signed java applet to be used with the
> java plugin, in such a way that a user that encounteres this applet will
> be prompted to validate the certificate attached to it automatically.
> To my understanding, the user will have to invoke some additional
> commands (such as keytool) so that the applet can work with full
> permissions.
>
> Is that so?
Yes. In the existing approach, the applet signer's certificate
must be configured in the policy and supporting keystore in
order for the signed applet to be granted special permissions
(the ones listed in the policy).
> If not - any documents describing it?
>
> If so - Do you intend to change that in the future?
The next version of the Plug-in (which will go beta early next
year) will verify the entire applet certificate chain if the applet
signer is not configured in the policy/keystore.
Verification will go all the way up to the root CA in the chain
and check if that root CA is configured as a trusted CA in
Netscape/IE.
If so, the user will be prompted if they want to grant the special
"AllPermission" (which implies every other single permission)
to the applet (binary policy decision).
Jan