Re: Self-signed security certificates.. (oh, the evil)

On Sun, 11 Sep 2005 03:34:08 GMT, Darren wrote:

>> The end user is presented with a dialog asking them
>> if they want to aceppt the code. If they click 'yes',
>> it has full priviliges, End Of Story.
> again not precicely what I'm after.

Can you describe the experience you expect for the end user?
In terms of..
- user follows link.
- user sees page.
- dialog appears asking 'run privileged code?'
- user clicks...
(well - you need to tell me, in your own words)

[ I am beginning to doubt that what you want is possible,
but I am not yet *sure* what you want. ]

>> ..This makes me wonder if you really understand the nature
>> and purpose of these certificates.
> In truth, no

Have you tried installing any applets or projects that
are signed? Going through the process of downloading
a JWS app. may answer a lot of your questions.

> Well I don't care if they are CA certified. For my purposes ME certified
> would do. Can a certificate tell a browser ...

No certificate in existence can *tell* a browser to *do*
anything. It all comes down to *asking* the *user*.

Try to get that distinction clear, as it is fundamental
to understanding what will happen with code signatures
and permissions.

> ..to look at a remote java policy
> file (one on my site) rather than the browsers default for example.?

What is it supposed to do once it 'looks' at that policy file?
Open the end user's machine to anything that is allowed in the
policy file on your site?

Even if JWS were set up that way, it would still be up
to the *end* *user* to say 'Yes - use the other policy file'.

It is *not* down to 'the browser' alone. If it were, I might
surf in to your site only to have my own browser load a (hidden)
applet that, 'picking up' your policy file, now has unrestricted
access to my PC. Not good.

Any which way you go, the user is asked for their permission.
That is both ..
- a good thing
- unavoidable.

--
Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
"He was a missing person who nobody missed at all"
Dixie Chicks 'Goodbye Earl'
.

Relevant Pages

  • Re: anti-malware progs ineffective
    ... >Mozilla is a very well done browser, that can be configured to block ... >consider checking out Mozilla. ... I always accept known certificates only temporarily. ... numbering to work halfway reliably. ...
    (sci.electronics.design)
  • Re: anti-malware progs ineffective
    ... >Mozilla is a very well done browser, that can be configured to block ... >consider checking out Mozilla. ... I always accept known certificates only temporarily. ... numbering to work halfway reliably. ...
    (sci.electronics.basics)
  • Re: sources for SSL certificates for SBS 2003
    ... certificates into their browser since some of them move around alot. ... There are some that offer basic validation that you own the domain for around $20pa. ... Steve Foster [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: How can I act as a Certificate Authority (CA) with openssl ??
    ... then putting that on a web site. ... problem if you were selling certificates using "Mickey Mouse" as the ... The browser maker and cert orgs like this since ...
    (comp.security.unix)
  • Re: How can I act as a Certificate Authority (CA) with openssl ??
    ... then putting that on a web site. ... problem if you were selling certificates using "Mickey Mouse" as the ... The browser maker and cert orgs like this since ...
    (sci.crypt)