Name: jk109818 Date: 12/05/2001


Java(TM) Plug-in: Version 1.3.1
Using JRE version 1.3.1 Java HotSpot(TM) Client VM


The problem was reported quite eloquently in BugID 4396720 and marked as closed
but it was not properly fixed. Certificates expire, signed code does not.

  To summarize, when the code signing certificate expires then
a "java.security.cert.CertificateExpiredException" will be thrown for every
first time user. Also, everytime thereafter that the user launches the applet
the exception will be thrown, until the user elects to "Grant Always" in the
PlugIn security warning which asks the user if they want to install and run the
applet. The behaviour was improved in 1.3.1 over 1.3.0 in that the user will
not see the exception once the "Grant Always" option is selected. This is still
a bug that should be fixed properly to match the behaviour of the Netscape
4.7.x JVM and the MS JVM which never expire the code signing.

  To quote from the Thawte FAQ on the use of Authenticode certificates:

"What happens when my certificate expires?
Certificates expire, valid signatures do not expire. The Netscape Signtool
documentation states that validation of the signature is based on the date of
the signature rather than the time verification [of the certificate] occurs. If
the certificate was valid at signing, then Communicator will continue to
recognize that signature even after the certificate expires."

Consider this: I cannot renew a Verisign certificate until 30 days before
expiration, so 31 days before expiration the best I can do is create a signed applet
that will run the first time without thowing and exception for 31 days. In
actual deployment the signed applet will run without problems the first time
for somewhere between 0 and 365 days and unless I have certificates issued for
each month the average shelf life of my applet is only 6 months. Even in
today's fast paced world this is too short.
(Review ID: 136304)
======================================================================