Just a note, I have submitted this bug report. It is bug #6149286 on bugreport.apple.com. The text of the report follows.
-Kyle H * SUMMARY Java mispresents a properly-signed applet as "Java cannot verify the authenticity of the signature's certificate". * STEPS TO REPRODUCE On a freshly-installed copy of Leopard, with all software updates: 1) Open Safari 2) Go to the URL https://jogl-demos.dev.java.net/applettest.html 3) View the security warning that pops up, select "Show Certificate" 4) Check the chain of certificates up to the root certificate * RESULTS The security dialog that pops up says: This applet was signed by "sun microsystems, inc," but Java cannot verify the authenticity of the signature's certificate. Do you trust this certificate? When I select "Show Certificate", it comes up with a chain of certificates (I'm listing them from bottom to top): sun microsystems, inc -- green checkmark, "this certificate is valid" (Issued by: VeriSign Class 3 Code Signing 2004 CA) VeriSign Class 3 Code Signing 2004 CA -- green checkmark, "this certificate is valid" (Intermediate Certification Authority) Class 3 Public Primary Certification Authority -- green checkmark, "this certificate is valid" (Self-signed root certificate) Comparing the self-signed root with the certificate in the System Roots keychain matches precisely. I expected Java's applet permission-request message to read more like: This applet was signed by "sun microsystems, inc," which states that it needs permission to do everything that a locally-installed application could do in order to operate properly. Would you like to grant this permission? (this is my suggested wording -- but "cannot verify the authenticity of the signature's certificate" is absolutely NOT the actual case.) * REGRESSION I have not performed any regressions, other than to test both between Firefox 3.0.1 and Safari. * NOTES I am submitting this bug report because somebody made a post to the Mozilla dev-tech-crypto mailing list stating that Firefox was having problems. The thread can be found at: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/512ef357ccef3d9d# . We have traced this to a mispresented error message from Java. This is a security-usability issue. On Thu, Aug 14, 2008 at 2:31 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > Since this same warning shows up even going to the same location > (https://jogl-demos.dev.java.net/applettest.html) under Safari, it's > definitely not Firefox-related. > > http://bugreport.apple.com/ is the best way to report this, since > Apple maintains its own Java distribution for OS X (you cannot get an > OS X version of Java from Sun). > > It requires a (free) ADC membership to actually submit a bug report; > if you do not have one, you can get one by going to > http://developer.apple.com/ and selecting (from the very top of the > page, on the right side) "ADC Member Site". > > -Kyle H > > On Thu, Aug 14, 2008 at 1:05 AM, Nelson Bolyard > <[EMAIL PROTECTED]> wrote: >> bmo wrote on 2008-08-11 20:22 PDT: >>> Summary: I suspect that there's something wrong with the BUILT-IN Root >>> CA cert UTN-USERFirst-Object in Firefox 3.0.1. >>> >>> We were issued a code signing certificate which was signed by the UTN- >>> USERFirst-Object cert built into Firefox (Comodo issues these). We >>> have successfully signed our jar file with the certificate (verified >>> with jarsigner -verify, etc.), however on Firefox 3.0.1 (on macosx), >>> when our jar is loaded, we get a 'this applet was signed by <company >>> name> however we cannot verify the signature' do you want to trust >>> this applet? >> >> That apparent quote of the text of the error message is actually a misquote, >> and the misquote was significant to our attempts to help >> you diagnose the problem. The actual error message, as it appears >> in the png files you posted, >> >> http://www.tryventi.com/certissue/trust1.png >> http://www.tryventi.com/certissue/trust2.png >> http://www.tryventi.com/certissue/trust3.png >> http://www.tryventi.com/certissue/trust_not_for_sun.png >> >> was: >> >> The applet was signed by <company name> but *Java* cannot verify the >> authenticity of the signature's certificate. Do you trust this >> certificate? >> >> The crucial difference between the message as you quoted it, and the actual >> message, is in who is speaking as the source of the error message. The >> message actually says that _JAVA_ cannot verify the signature. >> This error message is coming from Java, not from Firefox. Java has its >> own code and its own store of certificates for signature verification. >> It does not use the signature verification built into the browser, and >> the browser relies entirely on Java to verify the signature on file of >> MIME content-type application/java-archive (which these are). The browser >> does not verify the signature, but passes the received JAR to Java to verify >> it. >> >> Also note that it is not asking you if you trust the applet, but rather >> it is asking you if you want to trust the certificate. If you answer >> positively, I believe Java may store that certificate so that henceforth >> you will not be asked about applets signed with that same cert. >> >> Your issue is with Java, I believe, not with Firefox. >> I think you'll get more help in a Java support forum. >> >> Regards, >> Nelson >> _______________________________________________ >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
