[RFC] netx/plugin: do not prompt user multiple times for the same Certificate
Dr Andrew John Hughes
ahughes at redhat.com
Mon Oct 18 16:29:15 PDT 2010
On 14:56 Mon 18 Oct , Omair Majid wrote:
> On 10/18/2010 02:49 PM, Deepak Bhole wrote:
> > * Omair Majid<omajid at redhat.com> [2010-10-18 14:34]:
> >> On 10/18/2010 01:49 PM, Deepak Bhole wrote:
> >>> * Dr Andrew John Hughes<ahughes at redhat.com> [2010-10-18 13:35]:
> >>>> On 12:53 Mon 18 Oct , Omair Majid wrote:
> >>>>> On 10/14/2010 05:03 PM, Deepak Bhole wrote:
> >>>>>> * Omair Majid<omajid at redhat.com> [2010-10-14 16:37]:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> In the current implementation of the plugin, when the user rejects a
> >>>>>>> https certificate, the next time the https connection is attempted,
> >>>>>>> another certificate warning is shown.
> >>>>>>>
> >>>>>>> The attached patch makes it so that if the user does not accept a
> >>>>>>> certificate, he is not prompted again for accepting it. The patch
> >>>>>>> keeps a list of certificates that the user has not accepted and
> >>>>>>> skips the user prompt if it is for one of those certificates.
> >>>>>>>
> >>>>>>> Any comments or suggestions?
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Looks fine to me. Okay for commit to all active branches.
> >>>>>>
> >>>>>
> >>>>> Thanks. Pushed to IcedTea6 HEAD, 1.9, 1.8 and 1.7.
> >>>>>
> >>>>> Cheers,
> >>>>> Omair
> >>>>>
> >>>>
> >>>> Can the user remove the certificate from the list, should they wish to accept it at some point in the future?
> >>>> Same vice versa I guess (stop accepting a previously accepted certificate).
> >>>
> >>>
> >>> The untrusted list is temporary and gets destroyed when the vm shuts
> >>> down.
> >>>
> >>
> >> I was wondering whether it would make more sense to keep a list of
> >> trusted/untrusted certificates per applet/application instead of per
> >> VM.
> >>
> >
> > It should be per VM. Otherwise if this were being used within a company
> > environment that had their own root cert for example, users would have
> > to accept the certs for each applet/http server which would be quite
> > tedious.
> >
> >>> As for removing certs previously trusted -- that list can be manipulated
> >>> with keytool. The keystore is .netx/security/trusted.certs
> >>>
> >>
> >> Another way of manipulating the keystore is by using "javaws -viewer"
> >>
> >
> > Nice! I didn't know NetX supported viewer.
>
> Unfortunately, it is not quite the same thing as Java Web Start's javaws
> -viewer. Net'x javaws -viewer is more along the lines of the certificate
> viewer in the Java Control Panel.
>
Then there's your challenge; make it as nice ;-P
> >
> > Deepak
> >
> >>> Cheers,
> >>> Deepak
> >>>
> >>>> --
> >>>> Andrew :)
> >>>>
> >>>> Free Java Software Engineer
> >>>> Red Hat, Inc. (http://www.redhat.com)
> >>>>
> >>>> Support Free Java!
> >>>> Contribute to GNU Classpath and the OpenJDK
> >>>> http://www.gnu.org/software/classpath
> >>>> http://openjdk.java.net
> >>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> >>>> Fingerprint = F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
> >>
>
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list