Signed Java applets loaded from server are invalid if signing cert expires on MacOS with Safari browser; not if loaded locally or on Windows.

When a Java applet is loaded in Safari from a remote site, the certificate validation used is subtly different than what is used by Java itself.

In particular, if the signing certificate is expired, Safari will display a standard security framework error; the Java implementation (both on Mac OS X and Windows) considers the applet 'verified', based on a timestamp embedded in the signature.

* STEPS TO REPRODUCE
1. Put a copy of the attached files on your local disk.
2. Launch test.html
3. Observe a Java dialog is displayed, that indicates the signature is "verified"
4. Put another copy of the attached files on a web server.
5. Browse to test.html
6. Observe a Security framework dialog, complaining the certificate is expired

On MacOS with Safari you will see "The digital signature could not be verified."
On Windows you will see "The application's digital signature has been verified."

The problem is that the Oracle security dialog does not warn about the fact that the signing cert has expired. It merely informs the user that the signing cert was valid at the time of signing.