Bug ID: JDK-4523234 Timestamped Signatures

Type: Enhancement
Component: security-libs
Sub-Component: java.security
Affected Version: 1.4.0,1.4.1

Priority: P4
Status: Resolved
Resolution: Fixed
OS: solaris_8,windows_nt,windows_2000
CPU: generic,x86

Submitted: 2001-11-06
Updated: 2003-10-24
Resolved: 2003-10-10

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
5.0 tigerFixed

When a signed applet is verified and the certificate has expired, there is no way to tell if the applet was signed when the certificate was still valid. The
current validation policy assumes applet to be untrusted if the certificate has
expired, but they cause side effect to well deployed massive application to
popup security warning unnecessary.

Solution: Build timestamping directly into signing tool, so validation process
may take place in Java Plug-in or Java Web Start by validating the timestamp.

Timestamping of signed jar files is covered in 4500302

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: tiger tiger-beta FIXED IN: tiger tiger-beta INTEGRATED IN: tiger tiger-b24 tiger-b26 tiger-beta

14-06-2004

EVALUATION Name: sl23568 Date: 02/07/2002 This feature has been added for Tiger release ======================================================================

11-06-2004

Relates :	JDK-4649690 - Java Plug-in should consider time-of-signing when verifying signed jars
Relates :	JDK-4649703 - Web Start should consider time-of-signing when verifying signed jars
Relates :	JDK-4500302 - Verification of signed jars does not consider time-of-signing.