|
Quick Lists
|
|
Bug ID:
|
4523234
|
|
Votes
|
0
|
|
Synopsis
|
Timestamped Signatures
|
|
Category
|
java:classes_security
|
|
Reported Against
|
hopper-rc
, merlin-fcs
, merlin-rc1
|
|
Release Fixed
|
1.5(tiger)
|
|
State
|
10-Fix Delivered,
request for enhancement
|
|
Priority:
|
4-Low
|
|
Related Bugs
|
4500302
,
4649690
,
4649703
|
|
Submit Date
|
06-NOV-2001
|
|
Description
|
When a signed applet is verified and the certificate has expired, there is no way to tell if the applet was signed when the certificate was still valid. The
current validation policy assumes applet to be untrusted if the certificate has
expired, but they cause side effect to well deployed massive application to
popup security warning unnecessary.
Solution: Build timestamping directly into signing tool, so validation process
may take place in Java Plug-in or Java Web Start by validating the timestamp.
Timestamping of signed jar files is covered in 4500302
|
|
Work Around
|
N/A
|
|
Evaluation
|
This feature has been added for Tiger release
======================================================================
|
|
Comments
|
PLEASE NOTE: JDK6 is formerly known as Project Mustang
|
|
|
|
