[RFC] netx/plugin: do not prompt user multiple times for the same Certificate

Deepak Bhole dbhole at redhat.com
Mon Oct 18 11:49:23 PDT 2010 

* Omair Majid <omajid at redhat.com> [2010-10-18 14:34]:
> On 10/18/2010 01:49 PM, Deepak Bhole wrote:
> >* Dr Andrew John Hughes<ahughes at redhat.com>  [2010-10-18 13:35]:
> >>On 12:53 Mon 18 Oct     , Omair Majid wrote:
> >>>On 10/14/2010 05:03 PM, Deepak Bhole wrote:
> >>>>* Omair Majid<omajid at redhat.com>   [2010-10-14 16:37]:
> >>>>>Hi,
> >>>>>
> >>>>>In the current implementation of the plugin, when the user rejects a
> >>>>>https certificate, the next time the https connection is attempted,
> >>>>>another certificate warning is shown.
> >>>>>
> >>>>>The attached patch makes it so that if the user does not accept a
> >>>>>certificate, he is not prompted again for accepting it. The patch
> >>>>>keeps a list of certificates that the user has not accepted and
> >>>>>skips the user prompt if it is for one of those certificates.
> >>>>>
> >>>>>Any comments or suggestions?
> >>>>>
> >>>>
> >>>>
> >>>>Looks fine to me. Okay for commit to all active branches.
> >>>>
> >>>
> >>>Thanks. Pushed to IcedTea6 HEAD, 1.9, 1.8 and 1.7.
> >>>
> >>>Cheers,
> >>>Omair
> >>>
> >>
> >>Can the user remove the certificate from the list, should they wish to accept it at some point in the future?
> >>Same vice versa I guess (stop accepting a previously accepted certificate).
> >
> >
> >The untrusted list is temporary and gets destroyed when the vm shuts
> >down.
> >
> 
> I was wondering whether it would make more sense to keep a list of
> trusted/untrusted certificates per applet/application instead of per
> VM.
> 

It should be per VM. Otherwise if this were being used within a company
environment that had their own root cert for example, users would have
to accept the certs for each applet/http server which would be quite
tedious. 

> >As for removing certs previously trusted -- that list can be manipulated
> >with keytool. The keystore is .netx/security/trusted.certs
> >
> 
> Another way of manipulating the keystore is by using "javaws -viewer"
> 

Nice! I didn't know NetX supported viewer.

Deepak

> >Cheers,
> >Deepak
> >
> >>--
> >>Andrew :)
> >>
> >>Free Java Software Engineer
> >>Red Hat, Inc. (http://www.redhat.com)
> >>
> >>Support Free Java!
> >>Contribute to GNU Classpath and the OpenJDK
> >>http://www.gnu.org/software/classpath
> >>http://openjdk.java.net
> >>PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> >>Fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>

More information about the distro-pkg-dev mailing list