This link is a general purpose TOC for Web Start: http://java.sun.com/j2se/1.4.2/docs/guide/jws/developersguide/contents.html
These are probably the relevant sections for the converstation: Web server config - http://java.sun.com/j2se/1.4.2/docs/guide/jws/developersguide/setup.html JAR signing - http://java.sun.com/j2se/1.4.2/docs/guide/jws/developersguide/development.ht ml#security cheers, Paul Smith > -----Original Message----- > From: Mark Womack [mailto:[EMAIL PROTECTED] > Sent: Wednesday, 18 June 2003 4:45 PM > To: Log4J Developers List > Subject: Re: Web start app & Certificates > > > I sent a message to [EMAIL PROTECTED] It will get > the conversation > started, but I think we need to understand exactly what we > will require. Is > there a WebStart document that can explain all this? > > -Mark > > ----- Original Message ----- > From: "Paul Smith" <[EMAIL PROTECTED]> > To: "'Log4J Developers List'" <[EMAIL PROTECTED]> > Sent: Tuesday, June 17, 2003 4:35 PM > Subject: RE: Web start app & Certificates > > > > > Setting up the keychain, signing the jars, and generating the > > > JNLP are easy > > > enough. I don't know if there's an "official" cert for > > > Jakarta, though, or > > > how the ASF Board would want to handle who has the password > > > to it. Maybe > > > Log4J would have its own? Would it make sense for the ASF to > > > be a CA so it > > > wouldn't have to pay Verisign/Thawte every year? That way > > > the ASF could > > > issue, for example, you a cert for signing Chainsaw, which > > > would be backed > > > by the "full faith and credit" of the ASF. (It would also > > > make it much more > > > managable if "you" turn out to abuse the cert and it needs to > > > be revoked.) > > > > Hi Jim, > > > > Thanks for your response. It would be great if ASF was a > Certificate > > authority, but I can imagine that's going to be a bit > involved! Does > anyone > > know if the ASF board has discussed these types of issues > at all? Aside > > from Web start, I can imagine that signing jar's will be an > important part > > of validating the authenticity of a package, rather than > the standard > > published MD5 checksums I think that are in use at the moment. > > > > I'm not sure where to proceed here... > > > > thanks again, > > > > Paul > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]