Re: JNLP & Web start & signing?

Dado wrote: 
Andrew Thompson wrote:


On Wed, 27 Jul 2005 10:01:00 +0200, Dado wrote:


I signed my jar, created jnlp file which starts install procedure of my
application.
I expected that the user will be ask for pasword and other datas which I
enter during the signing but I only got the dialog which ask the user if
he trust me.
Maybe I didn't got the point of jarsigner but I need some download
protection which I hoped that jnlp stuffs will solve.


No.  JWS is designed to protect the *end* *user*.
It is not designed for 'copy protection'.


And how end-user is protected when he only so my name and my signature? Is
protected  from what?

When you sign with a certificate that certificate says that someone asserts that the name on the certificate is really the person owning that certificate.

Consider if some big company like IBM wants to provide you with a program. They have a certificate from a certificate authority like Verisign. They had to provide proof to Verisign that they truly were who they said they were to get the certificate. When they sign a piece of code with that certificate then you know that they had that certificate and that the code really did come from IBM.

Without the certificate some hacker could produce some malicious code and claim that it really is the program from IBM. But there is no way that the hacker could sign the code to say that he is IBM and have that certificate be issued by Verisign.

The certificate basically tells you that the person who signed the code is really who they claim to be. If the code is malicious then you have some legal recourse against that person.

The certificate has a chain back to some certificate authorithy. For that to be any good the certificate authority must be a trusted entity like Verisign or Thawte.

In your case you are probably using a self-signed certificate which means you are your own CA. A self-signed certificate basically says I say that I am who I say that I am. That provides no real protection because anyone can claim to be anybody. A certificate from someone like Verisign however has been verified. They are making a legally binding claim that you truly are who you say that you are.

--
 Dale King
.

Relevant Pages

  • Digital sign a driver for XP and Vista
    ... My company has just bought a Class 3 certificate from Verisign to digitally sign some drivers. ... The driver is made up by a .inf file, a .sys file and a .dll file. ... SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ...
    (microsoft.public.development.device.drivers)
  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: Your digital ID name cannot be found by the underlying security system
    ... This morning I received email from VeriSign indicating that apparently I ... Although I do not have a private key recovery feature, ... replaced the certificate 3 times already and still it will not work. ...
    (microsoft.public.outlook)
  • Re: [Full-Disclosure] PGP vs. certificate from Verisign
    ... What I wonder - will Verisign have set up CRL servers yet? ... PGP vs. certificate from Verisign ...
    (Full-Disclosure)
  • Re: Certificates -Annoyed
    ... There are cheaper alternatives to verisign such as RapidSSL. ... .Net code signing is different from a verisign SSL certificate. ... You don't need to purchase a certificate from anyone to sign your code. ... you put a datafile on your webserver that gets hit by your installation with a secure password and login. ...
    (microsoft.public.dotnet.general)