Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thawte Freemail certificate "Cannot verify authenticity" ?

Paul Libbrecht wrote:

your description is different than what I have, the keychain got much overhauled in 10.5.
In 10.5 I can see the list of all certifcates and where they are.

You didn't say what you were running on, so I went with what I had in front of me at the time, which was 10.4. My 10.5 results are below.


Which message did you get when accessing my website?
"Cannot verify authenticity" or simply "trust that guy? his authenticity is verified" ?

In Safari 3.0.4 on 10.5.2, with Java 1.5, it shows a security dialog saying "This applet was signed by "Paul Libbrecht Gourdet", but Java cannot verify the authenticity of the signature's certificate. Do you trust this certificate? ..."

This dialog has buttons "Show Certificate", "Don't Trust", "Trust". I clicked "Show Certificate" and it shows the certificate's chain of trust leading back to the root Thawte CA.

To dismiss the dialog I clicked "Don't Trust". Eventually I got a dialog saying: Certificate Not Verified, Code will be treated as unsigned.

Under Safari 2.0.4 on OS 10.4.9 with Java 1.5, the initial security dialog has different wording: "This applet was signed by "Paul LIbbrect Gourdet" and was authenticated by "Thawte Consulting" ...".

Clearly, "cannot verify the authenticity" is the wrong choice of words, or perhaps even the wrong message entirely. It clearly CAN verify the authenticity, because it shows the chain of Thawte certificates. The root Thawte cert is also identical to what's stored in my System Roots keychain, confirmed by looking at the fingerprints for the root CA in the security dialog and confirming with the fingerprints shown by Keychain Accesss.app.

What the browser/JVM doesn't know us whether I, the user, am willing to trust this certificate and all its signed content. In other words, it should be giving me the same dialog as I got on 10.4.9, including the same Thawte cert-chain and the same "authenticated by" message, but here the message is different (and wrong).

I recommend filing a bug with Apple that the wording of this dialog is wrong or misleading. It could be this is a symptom of a different bug in the Java plugin, namely that the System Roots really aren't getting looked at, so the result really is that it can't verify the authenticity of the signing cert's cert-chain.

Personally, I'd also check the wording of the dialog in these cases: where the code-signing cert isn't trusted, where the root CA is known but isn't trusted, and where the CA isn't known (no trusted root cert). I'm pretty sure you can configure all those cases under 10.5 just using Keychain Access.app.


I'm using 10.5.5 using JDK 1.6 on a MacBookPro.

I don't think the Java plugin will use Java 6, so in a web browser I don't think it's really using JDK 1.6 for any applets.

  -- GG

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.