Date: Mon, 28 Jul 1997 10:27:08 -0700
Message-Id: <199707281727.KAA10962@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: Valik@alis.kharkov.ua
Subject: Re: Another questions
See also the hypermail archive at
http://jserv.javasoft.com/hypermail/java-security-archive/index.html
> Organization: Alis Software
> From: "Valentin Perepelitsa" <Valik@alis.kharkov.ua>
> Date: Mon, 28 Jul 97 12:53:19 +0300
>
> Marianne,
>
> Thanks for your reply.
> Sorry, I'm a novice in Java, so I've got a lot of questions.
Sorry for my short answer; this is actually not a real technical
support hotline, but simply a way for people to pose questions to the
Java security team. Unfortunately I can't take all the time that is
required to do full technical support.
> > One thing not mentioned in that document is that when you then want to
> > refer to the signed JAR file in the HTML document that has an applet
> > tag, use the "archive" attribute like so
> >
> Is this possible to sign ordinary .class files? There is no problem with
> java archives, but if the appet is too simple (contains one class only),
> should I anyway use archive? For example, I want to write an applet, that just
> pings certain number of hosts. My applet works fine locally. But, I have no
> privilegies to use sockets remotely.
You can create a JAR archive that has only one .class file, and this
is the effect of signing a single file.
There is no way to embed the signature inside the .class file, if
that's what you mean.
Signing is not as simple as people want it to be; you do need to
specify "what" is being signed, "how" you're signing it (what
algorithm, what key, what role of the key-bearer), "when" the signing
is good for (when does the certificate expire that holds the key used
for signing?) Once you start getting into it, the concept of a
digital signature does unfortunately get a lot more complicated than
its human signature counterpart. Maybe eventually we will have tools
that will help us sign objects, files, and archives in as simple a way
as we sign letters and documents with hand-written signatures, but
we're not there today.
>
> > There is no formal committee or formal procedure for signing or
> > registering an applet. Right now, you can use the javakey utility
> > that is part of the JDK to create your own keys and certificates.
> > Eventually, the public key infrastructure will evolve so that you can
> > register online for a certificate for your Java digital key(s).
> >
> But, according to this ideology anybody can sign their applets to gain full
> access to the system. I don't think that everything is so simple. I searched
> web pages you gave me and haven't found information about this. Help, please,
> if you can.
No, this is not accurate. It is up to the person who controls the
client computer to configure their system to say WHCIH signatures are
allowed access. Simply signing an applet doesn't mean anything in
an of itself. It depends on whether the person who controls the
client computer has configured the client computer to say "the applet
signed by so-and-so is allowed such-and-such access on my system."
>
> Thanks for you time.
> ---
> Regards,
> Valentin Perepelitsa
>