Name: ssT124754 Date: 03/27/2001


D:\>java -version
java version "1.3.0_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_01)
Java HotSpot(TM) Client VM (build 1.3.0_01, mixed mode)


This is a continuation of the bugs described in BugID 4357437 and 4406748
The fix implemented in the "Merlin" release as described in bugID 4406748 is
wrong and needs to be fixed.
According to the fix described in 4406748, the "expiration warning will only
appear to the user the first time the applet is used." This is not a fix. Once
a .jar is digitally signed it is irrevelant that the certificate originally
used to sign the .jar has expired. A Java Plug-in Security Warning stating
that "the certificate has expired" should NEVER be displayed. The certificate's
expiration date should be checked by the signtool.exe utility when the .jar is
signed, not when a end user is downloading the applet to run it.
Think about it, is it realistic (or even a good idea) to require that
commercial software vendors resign their (old) .jar files every year AND then
redistribute them to all their customers so they can update their web servers.
The correct implementation is described in BugID 4406748, I will not repeat it
here other than to say the "fix" (only display the warning the first time...)
has no justification and is not a "fix" at all.
We have (literally) thousands of end users seeing this Java Plug-in Security
Warning unnecessarily. I'm sure this issue will multiply in any industry using
signed applets as other commercial software vendor's expire as they do every
year.
(Review ID: 119570)
======================================================================