Name: ssT124754 Date: 01/22/2001


java version "1.2.2"



i downloaded the 1.3.0_01 release. it is better than what i have, but still
not quite there yet.
what i see is that as soon as i try to open a signed applet with an expired
signature, it displays a popup saying something like "the signature is
expired. would you still like to use it". if i choose "yes", everything
works just fine.
the problem is, the signatures we have are only valid for one year.
which means that in one year, all our customers will start seeing this
warning EVERY TIME they launch the application!

the problem here is deeper: when a digital signature expires, it can't be
used to sign NEW code. however, code that was signed should stay signed
forever (think of it - when you sign a contract, does your signature fade
away after one year????)
the algorithm sounds simple: compare the date the code was created with the
date it was signed. if it was created BEFORE the signature expires, than the
code is signed. it doesn't matter if the signature is expired when you do
that check!

what i understood from bugid 4357437 is that this algorithm was implemented
in firefly. if you say that firefly is 1.3.0_01, than it was not - the popup
still shows. i would think that the bug should remain open until such
algorithm is implemented.

bottom line:
we need a version of plugin that does not display a popup (and treats the
code as signed) if it sees code that was signed before the certificate has
expired, regardless if the certificate is expired when the code is run.
(Review ID: 114352)
======================================================================