[jira] (MSHARED-299) Add support for -tsa during signing (Trusted Timestamping)

Fri, 08 Nov 2013 10:08:50 -0800 

     [ 
https://jira.codehaus.org/browse/MSHARED-299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tony Chemit updated MSHARED-299:
--------------------------------

    Assignee: Tony Chemit
    
> Add support for -tsa during signing (Trusted Timestamping)
> ----------------------------------------------------------
>
>                 Key: MSHARED-299
>                 URL: https://jira.codehaus.org/browse/MSHARED-299
>             Project: Maven Shared Components
>          Issue Type: New Feature
>          Components: maven-jarsigner
>    Affects Versions: maven-jarsigner-1.0
>            Reporter: Tony Chemit
>            Assignee: Tony Chemit
>
> Trusted Timestamping, introduced in Java 5 (2004), allows your customers to 
> validate your signature even after the certificate has expired. When you sign 
> a JAR file, the Timestamp Authority uses their clock to act as a notary and 
> cryptographically write the date and time into your file.
> Without this timestamp, users would only be able to validate your signature 
> based on their current date and time. This could be problematic for 
> long-running or embedded systems because the standard X.509 Certificates 
> contain a NotAfter date that typically ranges from one to four years.
> You interact with timestamp authorities when signing code with 
> jarsigner’s TSA argument:
> jarsigner -tsa http://timestamp.verisign.com …
> When your signed file provides a timestamp, Java is able to use that 
> information within the PKIXParameters and determine:
> - Do I trust this timestamp authority to act as a notary?
> - Is the signature date before the certificate’s time of expiration?
> - Based on Certificate Revocation Lists, was this certificate valid on or 
> before the signature date?
> - If the answer to all questions is yes, then the signature is deemed valid 
> even if the certificate has expired. Therefore, signed code on embedded 
> devices will continue to operate beyond the Certificate’s lifetime.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to