I sent a message to [EMAIL PROTECTED] It will get the conversation started, but I think we need to understand exactly what we will require. Is there a WebStart document that can explain all this?
-Mark ----- Original Message ----- From: "Paul Smith" <[EMAIL PROTECTED]> To: "'Log4J Developers List'" <[EMAIL PROTECTED]> Sent: Tuesday, June 17, 2003 4:35 PM Subject: RE: Web start app & Certificates > > Setting up the keychain, signing the jars, and generating the > > JNLP are easy > > enough. I don't know if there's an "official" cert for > > Jakarta, though, or > > how the ASF Board would want to handle who has the password > > to it. Maybe > > Log4J would have its own? Would it make sense for the ASF to > > be a CA so it > > wouldn't have to pay Verisign/Thawte every year? That way > > the ASF could > > issue, for example, you a cert for signing Chainsaw, which > > would be backed > > by the "full faith and credit" of the ASF. (It would also > > make it much more > > managable if "you" turn out to abuse the cert and it needs to > > be revoked.) > > Hi Jim, > > Thanks for your response. It would be great if ASF was a Certificate > authority, but I can imagine that's going to be a bit involved! Does anyone > know if the ASF board has discussed these types of issues at all? Aside > from Web start, I can imagine that signing jar's will be an important part > of validating the authenticity of a package, rather than the standard > published MD5 checksums I think that are in use at the moment. > > I'm not sure where to proceed here... > > thanks again, > > Paul > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
