Fwd: Re: [rfc][icedtea-web] reproducer for PR905
Deepak Bhole
dbhole at redhat.com
Wed Apr 4 09:11:37 PDT 2012
* Jiri Vanek <jvanek at redhat.com> [2012-04-04 12:04]:
> On 04/04/2012 05:58 PM, Deepak Bhole wrote:
> >* Jiri Vanek<jvanek at redhat.com> [2012-04-04 11:55]:
> >>...snip...
> >>>>>>
> >>>
> >>>
> >>>How about creating a cert, importing it and then signing everything with that
> >>>cert?
> >>>
> >>
> >>Applet is then not asking user anymore???
> >>
> >>If this is true than this is granzgenial:)
> >>
> >>It will need some logic to import the certs to browser, but it will
> >>be needed anyway (see http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-March/017799.html
> >>for more about browser detection)
> >>
> >
> >If you choose to always trust it, yes it shouldn't ask any more.
>
> hmmm... Can be much harder then to control this fully-automatically.
> (means create certificate during make is easy, sign all stuff with
> this certificate is easy, import certificate to browsers should be
> also easy (just cp I believe), force the browser to force this new
> certificate without prompt can be however impossible :( )
> If it is possible to accept it just oncetimes for all
> future-generated certificates - it will do the job as well.
>
Right, so create a cert, sign a jar with it, and manually start the
browser and go to an applet with that jar. You will get a prompt and
choose to always trust it.
>From there on, anything signed by that cert should always be trusted.
> I would like to avoid one static certificate which have to be refreshed each .. some times...
>
Why is that? You would only be accepting/always trusting it locally for
one specific user.
Cheers,
Deepak
More information about the distro-pkg-dev
mailing list