>> This is probably not an ideal user experience - Acme's users don't >> necessarily need to know that parts of the application came from Apache >> - they just need to trust Acme. So, our assumption is that Acme would sign >> all the JARs used by the application, including the Pivot JARs, with their >> own certificate. This way, the user only gets prompted once, to trust >> acme.com. > > Are you sure this is all set up correctly? > > The point behind CA certificates is that by saying "I trust this CA, I > also trust any cert that this CA trusts", it removes the need to > explicitly ask the user to trust anything - the user has already told > you they trust your cert when the user trusted your CA cert.
You may be right. The results I mentioned were produced by self-signed certs, which wouldn't have a trusted CA. With valid certs, it is entirely possible that we might not see this behavior. Thanks for the suggestion. Greg
