P4
A DESCRIPTION OF THE REQUEST :
When Java WebStart initiates a signed Jar, or initiates an SSL session, it
may pop up a security warning dialog about the peer. This warning dialog
provides some identity information drawn from the X.509 certificate, and
offers a button labeled "More Details". If the user presses that button, a
certificate details window pops up. The details window displays a fair
bit more information from the certificate, including subject DN, validity
interval, etc. All of that is very good. However, the details window does not
present the certificate 'fingerprint' or 'thumbprint'. Those fields are often used for out-of-band verification of certificates, and are virtually impossible for a user to compute on their own.
JUSTIFICATION :
In cases where an application is using a self-signed or private certificate
for SSL or code signing, the usual PKI mechanisms for verifying the
certificate do not work. In such cases, out-of-band verification using the
certificate fingerprint (MD5 of the cert) or thumbprint (SHA1 of the cert) can
be used. For example, most web browsers will display the fingerprint for
a certificate in their 'Details' display.
Java 1.4.2 and Java 5.0 do not seem to have this capability. That makes it
a little harder to work with any non-rooted X.509 certificates.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It would be nice if the Certificate Details window included either or both
fingerprints (MD5 or SHA1) as a selectable field. I know that the fingerprint
is not part of the actual certificate, but it is very easy to compute and could
be very helpful in some cases.
ACTUAL -
The current Certificate Details window has the following fields:
Version, Serial Number, Signature algorithm, Issuer, Subject, Validity, and
Signature.
###@###.### 10/21/04 16:37 GMT
When Java WebStart initiates a signed Jar, or initiates an SSL session, it
may pop up a security warning dialog about the peer. This warning dialog
provides some identity information drawn from the X.509 certificate, and
offers a button labeled "More Details". If the user presses that button, a
certificate details window pops up. The details window displays a fair
bit more information from the certificate, including subject DN, validity
interval, etc. All of that is very good. However, the details window does not
present the certificate 'fingerprint' or 'thumbprint'. Those fields are often used for out-of-band verification of certificates, and are virtually impossible for a user to compute on their own.
JUSTIFICATION :
In cases where an application is using a self-signed or private certificate
for SSL or code signing, the usual PKI mechanisms for verifying the
certificate do not work. In such cases, out-of-band verification using the
certificate fingerprint (MD5 of the cert) or thumbprint (SHA1 of the cert) can
be used. For example, most web browsers will display the fingerprint for
a certificate in their 'Details' display.
Java 1.4.2 and Java 5.0 do not seem to have this capability. That makes it
a little harder to work with any non-rooted X.509 certificates.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It would be nice if the Certificate Details window included either or both
fingerprints (MD5 or SHA1) as a selectable field. I know that the fingerprint
is not part of the actual certificate, but it is very easy to compute and could
be very helpful in some cases.
ACTUAL -
The current Certificate Details window has the following fields:
Version, Serial Number, Signature algorithm, Issuer, Subject, Validity, and
Signature.
###@###.### 10/21/04 16:37 GMT