Certificate Authority support in keytool

christian.halvorsen@ac.com
Fri, 24 Jul 1998 10:42:18 +0100

From: christian.halvorsen@ac.com
To: java-security@java.sun.com
Date: Fri, 24 Jul 1998 10:42:18 +0100
Subject: Certificate Authority support in keytool

One of the major benefits with Java is easy distribution of applications.
We're developing an application that will run as an applet in Java Plug-in
(Activator). This applet is signed with javakey to get system access beyond
normal applet security restrictions.

The new keytool in JDK1.2 should support CA's so that one can request a
certificate from such a CA and sign the applet jar file with this
certificate. When the user then downloads the applet he should be notified
that the CA guarantees the signers identity and asks whether the user wants
to release the applet from the sandbox. In order to do this the JDK/JRE
must come with CA certificates the same way as browsers do.

Today it's a major hassle to distribute signed applets. The user will have
to download javakey and the signers public key and then run this on
his/hers local PC to say that a specific signer is trusted. It's not a good
idea for the developer to make a identitydb.obj and let the users download
this, becuase this will delete any other information in the users
identitydb.obj file.

Best regards,

Christian P. Halvorsen
Andersen Consulting, Norway