A DESCRIPTION OF THE REQUEST : When Java WebStart initiates a signed Jar, or initiates an SSL session, it may pop up a security warning dialog about the peer. This warning dialog provides some identity information drawn from the X.509 certificate, and offers a button labeled "More Details". If the user presses that button, a certificate details window pops up. The details window displays a fair bit more information from the certificate, including subject DN, validity interval, etc. All of that is very good. However, the details window does not present the certificate 'fingerprint' or 'thumbprint'. Those fields are often used for out-of-band verification of certificates, and are virtually impossible for a user to compute on their own. JUSTIFICATION : In cases where an application is using a self-signed or private certificate for SSL or code signing, the usual PKI mechanisms for verifying the certificate do not work. In such cases, out-of-band verification using the certificate fingerprint (MD5 of the cert) or thumbprint (SHA1 of the cert) can be used. For example, most web browsers will display the fingerprint for a certificate in their 'Details' display. Java 1.4.2 and Java 5.0 do not seem to have this capability. That makes it a little harder to work with any non-rooted X.509 certificates. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - It would be nice if the Certificate Details window included either or both fingerprints (MD5 or SHA1) as a selectable field. I know that the fingerprint is not part of the actual certificate, but it is very easy to compute and could be very helpful in some cases. ACTUAL - The current Certificate Details window has the following fields: Version, Serial Number, Signature algorithm, Issuer, Subject, Validity, and Signature. ###@###.### 10/21/04 16:37 GMT
|