«

Roedy, I just want to thank you for your excellent Java glossary entry on
signed applets. It is very comprehensive and helpful.

One thing I am not clear on though is if I purchase a proper certificate
from a trusted source like Thawte, will the signed applet be able to run
without asking the user first?

--
And loving it,

-Qu0ll (Rare, not extinct)
_________________________________________________

[Replace the "SixFour" with numbers to email me]

On Sun, 23 Aug 2009 17:05:02 +1000, "Qu0ll" <>
wrote, quoted or indirectly quoted someone who said :

>One thing I am not clear on though is if I purchase a proper certificate
>from a trusted source like Thawte, will the signed applet be able to run
>without asking the user first?

no.

Here's why. Let's say my Applet rummages around the hard disk looking
for thumbnail photos, and uploads them to a server. I need the
client's explicit permission to do that, not just $350 for a cert.
--
Roedy Green Canadian Mind Products
http://mindprod.com

http://thecovemovie.com : The Cove: a documentary about Japan's secret atrocities against dolphins.

On Sun, 23 Aug 2009 01:11:14 -0700, Roedy Green
<> wrote, quoted or indirectly quoted
someone who said :

>no.
>
>Here's why. Let's say my Applet rummages around the hard disk looking
>for thumbnail photos, and uploads them to a server. I need the
>client's explicit permission to do that, not just $350 for a cert.

The advantages of real over self-signed phony certificates and the
limitations are discussed in detail at
http://mindprod.com/jgloss/selfsignedcertificate.html
--
Roedy Green Canadian Mind Products
http://mindprod.com

http://thecovemovie.com : The Cove: a documentary about Japan's secret atrocities against dolphins.

RedGrittyBrick wrote:
> Isn't it really a question of which certificates you trust directly and
> which you trust indirectly?
>
> My web-browser is full of self-signed certificates for certificate
> authorities. I don't really know any of them and have no special reason
> to place more than a very minimal level of trust in them.
>
> I also see I have a certificate for a service I use, that certificate is
> signed by Comodo CA Limited. I have no idea who Comodo are or how
> trustworthy they are. Presumably someone at Mozilla felt they were
> trustworthy but I've no idea how much effort that Mozilla developer put
> into checking out the integrity of Comodo and I've no idea what checks
> Comodo applied to the company that obtained a server cert from them,
> maybe just that they appear to be a registered company and that the
> payment cleared?
>
> I'd actually have a lot MORE trust in a self-signed certificate
> handed[1] to me by someone I personally trust.

I don't think it is just a randomly picked developer that
flip a coin to decide whether a root certificate goes into
the browser or not. This is critical for the security that
the root certificates are legit.

And the CA do make some checks because they are warrantying
their certificates. Then they have 10000 dollars of good reasons
to check.

It is obviously not a perfect system.

Most people will trust something they receive from
a personal friend/colleague. But do they also believe
that he keep his keystore and passphrase properly
protected from spyware/keyloggers etc.?

Arne

Qu0ll wrote:
> Roedy, I just want to thank you for your excellent Java glossary entry
> on signed applets. It is very comprehensive and helpful.
>
> One thing I am not clear on though is if I purchase a proper certificate
> from a trusted source like Thawte, will the signed applet be able to run
> without asking the user first?

No. The signing thing is only authentication not authorization. A proper
certificate may get more people to accept your certificate as being
from you, but access will still need to be granted.

Arne

RedGrittyBrick wrote:
> I'd actually have a lot MORE trust in a self-signed certificate
> handed[1] to me by someone I personally trust.

Where's the footnote [1]? I didn't see it in your post.

On Sun, 23 Aug 2009 12:52:47 +0100, RedGrittyBrick
<> wrote, quoted or indirectly quoted
someone who said :

>I understand why you use this emotive terminology (real vs phony) but
>your root certificates (Verisign etc) must be self-signed and hence phony?
The Oxford dictionary defines certificate as an official document
attesting or recording of a particular fact or event, the level of
achievement or the fulfillment of a legal achievement.

A real certificate involves three levels of certification.

1. the vendor certifies he did indeed write the software.

2. the certificate vendor certifies that the vendor presented
identification details to obtain the certificate he used to sign the
program.

3. Sun certifies that the certificate vendor is a reputable company
who takes sufficient care in handing out certificates to vendors. It
indicates this certification by including the public root certificate
of respected vendors in cacerts.

A phony certificate certifies that the holder of some certificate did
indeed write the software. It says nothing about the identity of the
vendor.

So it seems to me, there no official document involved with a phony
cert. A phony certificate is not actually a certificate. However, it
is not completely valueless. For example, I post the public key of my
phony certificate on mindprod.com. People can then know whomever
created mindprod.com also vouches for the signed code posted there,
but you knew that anyway, without the signing. It does however let
people who pick up code elsewhere to know that also IF they check the
posted root certificate.

I expect eventually personal IDs will be based on private keys. You
will then be able effectively to use your birth certificate id for all
manner of purposes, including purchasing goods and signing code.
Then there would be no need for unsigned code or code signed with
phony keys.

--
Roedy Green Canadian Mind Products
http://mindprod.com

http://thecovemovie.com : The Cove: a documentary about Japan's secret atrocities against dolphins.

On Sun, 23 Aug 2009 12:52:47 +0100, RedGrittyBrick
<> wrote, quoted or indirectly quoted
someone who said :

> Presumably someone at Mozilla felt they were
>trustworthy but I've no idea how much effort that Mozilla developer put
>into checking out the integrity of Comodo and I've no idea what checks
>Comodo applied to the company that obtained a server cert from them,
>maybe just that they appear to be a registered company and that the
>payment cleared?

I remember getting a cert from Thawte. They certainly did a thorough
check to make sure I was really me. If they didn't, and word of it
got out, it would make ALL Thawte issued certs less valuable. People
would not trust them. Thawte certs would have only intermediate value
between real certs and phony certs.

When you buy a cert, you are primarily paying for the work they do to
verify your identity.

A cert company can't easily sell its certs unless the roots are
accepted in browser lists, OS lists and Java lists. It has to convince
these companies to include its root.

I think a pirate would fool people by creating a plausible sounding
certificate root authority, and giving instructions to install the
root CA authority cert. It would be quite dangerous to try to apply
for a cert in some other company's name. All the certificate issuer
has to do is look up the company in the phone book and give them a
call. They will get the real company.

--
Roedy Green Canadian Mind Products
http://mindprod.com

http://thecovemovie.com : The Cove: a documentary about Japan's secret atrocities against dolphins.

On Sun, 23 Aug 2009 12:40:29 -0700, Roedy Green
<> wrote, quoted or indirectly quoted
someone who said :

>The Oxford dictionary defines certificate as an official document
>attesting or recording of a particular fact or event, the level of
>achievement or the fulfillment of a legal achievement.

I elaborate on these ideas further at:

http://mindprod.com/jgloss/selfsigne...ml#TERMINOLOGY
--
Roedy Green Canadian Mind Products
http://mindprod.com

http://thecovemovie.com : The Cove: a documentary about Japan's secret atrocities against dolphins.

On Sun, 23 Aug 2009 22:57:50 +0100, RedGrittyBrick
<> wrote, quoted or indirectly quoted
someone who said :

>
>Would you say Versign certs are less trustworthy than Thawte certs?

Verisign bought out Thawte. Verisign are considerably more expensive.
Verisign are openly hostile when you apply. Thawte are relatively
friendly.

Dealing with Verisign is like going into a 5 star hotel. They sniff at
you if you don't have a Gold American Express card. They are really in
the business of serving the Fortune 1000 only. I would suppose this
hauteur would tend to scare off more crooks.

I doubt many pirates would have the chutzpa to attempt acquire a
Verisign or Thawte certificate. The public, even programmers, are
pretty clueless about certificates. I think a clever pirate would
exploit that confusion instead.

It would be ever so much easier to fob off a phony certificate as
meaningful or a phony CA certificate from a fictitious CA company, or
simply write code in a language that does not require signing, use
piratical means to install software, or just use ordinary Java Apps
with a traditional installer that don't require signing.
--
Roedy Green Canadian Mind Products
http://mindprod.com

http://thecovemovie.com : The Cove: a documentary about Japan's secret atrocities against dolphins.