Name: boT120536 Date: 03/12/2001


java version "1.3.0_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_02)
Java HotSpot(TM) Client VM (build 1.3.0_02, mixed mode)

I am opening this bug report to address an unresolved problem
that is reported in two other bug reports (4407689 and 4398868)
which are both now closed.

The problem was introduced in SDK version 1.3.01 and is specific
to the Plug-in. Previous versions of the Plug-in used Internet
Explorer's certificate database in verifying signed jar files.
Beginning in 1.3.01, the Plug-in no longer uses IE's certificate
database but instead references the internal certificate database
maintained by the keytool. This change effectively breaks any
existing applets that rely on the 1.3 Plug-in and certificates.

  Bug 4407689 is now Closed as "Will not be fixed" status with
the comment that "this is a feature change". There is also
a comment that "it is possible to import cert into cacerts
for testing purpose" but there is no description of how this
is done. I tried to use the keytool's "import" option but
this did not resolve the problem.

  Bug 4398868 is now Closed as "Fixed". The explanation is:
"We have added a new error handling code in plug-in, so users
will have the option to continue the verification even if we
fail to verify the root CA." I have no idea what this means.
Is it a flag of some sort than we must look at programmatically?
Is it a dialog that the plug-in automatically pops up when
the user downloads the signed applet? Neither are acceptable
solutions. What public release is this "fix" in?

Look, you guys broke a lot of deployed applets with a
point-release version of the SDK that is not backwardly compatible.
This problem is not resolved. What do you plan to do about it?

Perhaps you could implement a parameter that is configurable from
the Plug-in control panel to force the Plug-in to look at the
IE certificates database.
(Review ID: 118503)
======================================================================