JDK-6766758 : Add Verisign Timestamp CA certificate to JRE
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P5
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2008-11-03
  • Updated: 2011-02-16
  • Resolved: 2008-11-03
Related Reports
Duplicate :  
Description
A DESCRIPTION OF THE REQUEST :
If the Verisign timestamping certificate at:-

https://knowledge.verisign.com/resources/sites/VERISIGN/content/live/SOLUTION/9000/SO9699/en_US/TimestampCA.cer

was added to cacerts in the JRE then timestamping of applets would be possible using the jarsigner option -tsa https://timestamp.geotrust.com/tsa which is also from Verisign (they own Geotrust).

This certificate is already included with Firefox so why not in the JRE too?

JUSTIFICATION :
Timestamping proves the date of the jar signing and can allow jar expiry to be extended beyond the signing cert expiry date. In one test with a one year signing cert the jar expiry was extended to around 9 years. This means the users do not get bothered with untrusted security alerts after only one year.

In a nutshell - less hassle for users.