• Post Reply Bookmark Topic Watch Topic
  • New Topic

Verifying PKI Certificates  RSS feed

 
Jon Camilleri
Ranch Hand
Posts: 664
Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Getting a certificate from one of the supported vendors costs hundreds of dollars per
year. Many developers simply generate their own and use them for code signing. Of
course, Java Web Start has no way of checking the accuracy of these certificates. When
you receive such an application, then you know:
1. The code is exactly as it was when it was signed; no other party has tampered with it.
2. Someone has signed the code, but Java Web Start cannot verify who it was.

This is quite worthless; anyone could have tampered with the code and then signed it,
claiming to be the author. Nevertheless, Java Web Start will be perfectly happy to present
the certificate for your approval (see Figure 10–7). It is theoretically possible to verify the
certificate through another way, but few users have the technical savvy to do that."

Core Java Volume I (8th Ed) P.507

Any idea what is the author talking about when he mentions "another way" of verifying certificates, other than say getting one from a provider such as Thawte?

  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!