Message-Id: <2.2.32.19990728193328.00d3b708@postoffice.i-review.com>
Date: Wed, 28 Jul 1999 14:33:28 -0500
To: java-security@java.sun.com
From: "Christian M. Forster" <cforster@i-review.com>
Subject: Re: "Java Plug-In Security Warning" dialog working under 1.2.2
Hi All!
I'm sending this message to update people on this topic & to provide some
closure for this issue for 1.2.2 plug-in FCS.
After many trials & tribulations & much clarification from Jan, I'm pleased
to announce that I've been successful using RSA Netscape Obj Signing to sign
a JAR & having it properly display the "Java Plug-In Security Warning"
dialog under NN & IE using 1.2.2 FCS.
In the effort to close a security hole in 1.2.2 RC1's certificate chain
verification, the 1.2.2 FCS plug-in release requires an *exact* match of the
JAR signer's root CA certificate (fingerprint) with one in IE's CA store on
the executing platform. Just matching the public key is not sufficient, the
validity period, etc. must also match.
Thus, the problem I was experiencing was due to the proliferation of valid,
but different (expiring in 2004, 2018, 2028, etc.) Root CA certificates
(from the popular certificate provider I originally used) in various
incarnations of IE's CA store. Note, IE's CA store is used for verification
in the executing environment whether using Netscape or IE (see
http://java.sun.com/products/plugin/1.2/docs/nsobjsigning.html).
After purchasing and using a Thawte Netscape Obj Signing cert (available at
http://www.thawte.com/certs/developer/nsobjectsign.html), every execution
environment I've tried so far (WinNT 4 / IE 4 & NC 4.04, Win95 / IE 4 & NC
4.6) has successfully shown the dialog. I have yet to confirm other Win32
environs (Win98) & Solaris, but I've received confirmation from a Thawte rep
that the specific Root CA issued in their n.o.s. certs & for CA stores is
ubiquitous and should be in present in IE 4+ installs.
On to the next hurdle... Thanks to everyone for the help!
Best regards,
Chris