Public: Technology Reviews : Java Timestamped Signatures
This page last changed on Nov 07, 2008 by scytacki.
Java 1.5 introduced the concept of timestamping a webstart signature.
These threads have some useful information about them. http://forums.sun.com/thread.jspa?threadID=744677 http://forums.sun.com/thread.jspa?threadID=5309004
Based on that forum though in practice it won't help. This is because the certificate for the TSA (time stamping authoring), needs to be in the user's computer's trusted cert list. So for this to work users would need to do an extra step to install this certificate.
The key issue is this line:
However it might be that the users of that forum did not setup their original signature correctly. It seems that if the -tsacert alias is used when signing the jar then the cert for the tsa is included in the code signing certificate. So hopefully in that case the client doesn't need to install anything. That means though that the certificate we get from verisign or where have to include this tsa cert.
As noted by the forums above, firefox includes a thawte timestamping CA. Looking at java certs on 10.4, this takes me to the system keychain with the certs. Looking at "X509Anchors" there is a timestamp cert listed as: "TC TrustCenter Time Stamping CA"
|Document generated by Confluence on Jan 27, 2014 16:56|