|
History
| Log In
|
|
|
|
[
Permlink
| « Hide
]
Nick Minutello - 16/Feb/04 01:45 PM
It must have been late - this was meant for Confluence.
The only reason why we need the applet to be signed is to get access to the system clipboard.
The applet should be really signed by whomever is hosting JIRA. On jira.atlassian.com that would be us We do not see too much benefit on getting the proper certificate to sign the applet at the moment. Do you really need the applet to be signed by us? >> The applet should be really signed by whomever is hosting JIRA.
Usually, the applet is signed by whoever wrote/released it. In this case, that would be Atlassian? I guess the question is:
Should the user allowing the applet to access his system's clipboard trust atlassian or the company that is hosting the JIRA instance he is using? I guess at the end of the day it is Atlassian as we are distributing the code. But if the user knows very little about Atlassian and sees the applet signed by us rather than the website (JIRA) that he is using - wouldn't be that a little confusing? Also, why is this actually an issue? Is it just unprofessional? The Certificate/Trust is with the vendor/supplier of the software - not the website it happens to be hosted on. Think about Macromedia Flash - there are no sites where the flash plugin is signed by the hosting company - its signed by Macromedia. >> Also, why is this actually an issue? Is it just unprofessional? Exactly. Its very unprofessional for a commercial application. And in a corporate environment, where security is taken rather seriously (esp a bank), security warnings like this are a big no-no. In JDK 1.5, it will be configurable that applets/webstart applications with non-trusted certificates wont be run - because we asked for it. I dont know whether I should raise anothe issue - but that screenshot feature needs to be able to be disabled administratively as well. Cool.
I will leave this issue open for discussion. Attaching screenshots is only available if attachments are turned on and the user has the create attachment permission. (Actually there is no "special" backend for screenshots. The applet posts the data to the same action - AttachFile). Is this good enough? Or would you still like to have the option to turn the screenshot attachment off? What is the status on getting this applet signed with a valid certificate?
Put on the backburner while we try to get the next (overdue) version out..
You just need to buy a cert - and sign the jar.
I'll even give you a tool to make your signing easier  Possibly of interest:
http://www.cacert.org/ via slashdot: I'll at a +1 to this issue...although I don't care who it's signed by, I just need it signed so our users stop emailing me to tell me about the warning that pops up on their screen
 . Nick - any idea of which certificate provider is the cheapest / easiest to go with?
It appears that cacert (above) isn't installed in anyone's browsers. Any suggestions? I will find out what we support at work - it will give us some indication.
Dont you already have a cert for https site (https://www.atlassian.com/software/Buy.jspa?product=jira)? Yes, that would be a good choice. Certificate details for https://www.atlassian.com/software/Buy.jspa?product=jira
 follows
This certificate has been verified for the following uses: SSL Server Certificate Issued To Organization (O) Atlassian Software Systems Pty Ltd Issued By Organization (O) Thawte Consulting cc Validity Expires On 2007-02-01 SHA1 Fingerprint 92:FE:C4:45:2B:7D:23:05:CE:C3:F0:B1:9D:F8:1E:DE:86:23:E3:AA It appears that even if we sign the applet with a proper certificate the popup when the applet loads still shows up.
The popup however does not display warnings that the certificate is from a company that is not trusted, but information messages, saying that the applet is signed by a certificate from a trusted authority. Some confirmation to this can be found here: The popup will keep appearing everytime the browser is restarted, unless the user clicks the "Always" button, istead of "Yes", for trusting the applet. The question is, would you like us to sign the applet anyway, even though it looks like there is no way around the popup? Also, the certificate says it is distributed by "www.atlassian.com", is this OK with you, or would you like it to say "Atlassian Software Systems? In the latter case I think we will need to buy a new cert? Yes, I want the applet signed.
[No popup = silent install/execution of foreign software? Perhaps java has a "trusted sites" concept? whatever...] The popup is fine. And yes, there is no way around that.
The problem wasnt the popup per se - it was the "Invalid Certificate" Warning. www.atlassian.com is fine. Nick, Björn
Thanks for the feedback. The applet in 3.2 final will be signed by our certificate. Thanks, |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Resolved
Minor
Applet certificate is not trusted.
