Ouch!
I've been out of the loop for a while trying to get caught up on local work
issues. This does not sound good. As I read the description from Oracle the
only way to use Java in browsers that does not require a commercial certificate
and a codebase compiled for each server (possibly you don't have to specify
your codebase location in the jar, but I think you do) is to have each local
user/intranet whitelist the particular jar from a particular source. This may
be OK within a large company infrastructure, but is not going to work for
general users.
Have I misread this?
The most amusing thing about this is that the alternative (javascript and
things like opengl) are no more secure for the same capabilities and so far
much slower.
We still need the java application, but I guess we pretty much need to get
everything converted to JSmol for web stuff.
Jonathan
On Nov 2, 2013, at 1:11 PM, jmol-users-requ...@lists.sourceforge.net wrote:
> Assuming the $500 certificate ensures that the signed Jmol java applet
> will not be blocked (?), I suspect there are a number of organizations that
> would be prepared to become sponsors...
>
>
> Quoting Robert Hanson <hans...@stolaf.edu>:
>
>> I direct the discussion to
>>
>> https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
>>
>> I believe this is the end of the unsigned Jmol Java applet along with
>> JSpecView and JME.
>>
>> In addition, I'm pretty sure our free-be signing will not pass muster as a
>> "trusted authority":
>>
>> RIAs must contain two things:
>>
>> 1. Code signatures from a trusted authority. All code for Applets and
>> Web Start applications must be signed, regardless of its Permissions
>> attributes.
>> 2. Manifest Attributes
>> 1. Permissions ? Introduced in 7u25, and required as of 7u51. Indicates
>> if the RIA should run within the sandbox or require full-permissions.
>> 2. Codebase ? Introduced in 7u25 and optional/encouraged as of 7u51.
>> Points to the known location of the hosted code (e.g.
>> intranet.example.com) <http://intranet.example.com>.
>>
>> The latest upload of Jmol takes care of (2a). However, unless (2b) allows
>>
>> Codebase: *
>>
>> that's pretty much it for the signed applet as well. [Or maybe someone goes
>> into the business of making custom signed Jmol applets for people!]
>>
>> Suggestions? Comments?
>>
>> If deployment of the signed Jmol applet is of interest, we will need a
>> sponsor, because a certificate costs US$500/year. Let me know if you are
>> interested in being that sponsor.
>>
>> At least we have a two-month lead on this (and I am headed for a visit with
>> RCSB on Sunday).
>>
>>
>> Bob
Dr. Jonathan H. Gutow
Chemistry Department gu...@uwosh.edu
UW-Oshkosh Office: 920-424-1326
800 Algoma Boulevard FAX:920-424-2042
Oshkosh, WI 54901
http://www.uwosh.edu/facstaff/gutow
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Jmol-users mailing list
Jmol-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jmol-users
