java version "1.2.2"



i downloaded the 1.3.0_01 release. it is better than what i have, but still
not quite there yet.
what i see is that as soon as i try to open a signed applet with an expired
signature, it displays a popup saying something like "the signature is
expired. would you still like to use it". if i choose "yes",  everything
works just fine.
the problem is, the signatures we have are only valid for one year.
which means that in one year, all our customers will start seeing this
warning EVERY TIME they launch the application!

the problem here is deeper: when a digital signature expires, it can't be
used to sign NEW code. however, code that was signed should stay signed
forever (think of it - when you sign a contract, does your signature fade
away after one year????)
the algorithm sounds simple: compare the date the code was created with the
date it was signed. if it was created BEFORE the signature expires, than the
code is signed. it doesn't matter if the signature is expired when you do
that check!

what i understood from bugid 4357437 is that this algorithm was implemented
in firefly. if you say that firefly is 1.3.0_01, than it was not - the popup
still shows. i would think that the bug should remain open until such
algorithm is implemented.

bottom line:
we need a version of plugin that does not display a popup (and treats the
code as signed) if it sees code that  was signed before the certificate has
expired, regardless if the certificate is expired when the code is run.
(Review ID: 114352) 
======================================================================

my reasoning is simple:
a digital signature is the digital representation of a "real" signature.
if i sign a contract (in the real world), the signature doesn't fade away
after one year.
======================================================================

We have changed the verification algorithm in Merlin thus that expiration warning will only appear to the user the first time the applet is used. If the user grants always to trust the applet, the warning will not popup again.

 xxxxx@xxxxx  2001-01-24

I am also seeing the exact same behavior which is described 
here and completely agree with what is written. I have been 
distributing signed .CAB files for years and have NEVER had 
this problem after my certificate expired. Once a .CAB 
or .jar is signed it NEVER expires.
If your "fix" is to only show the warning to the user the 
first time this is WRONG!  We have many customers using our 
signed .jar (applet).  They should never see this warning 
because the .jar we sold them was correctly signed.
Please fix your algorythm to "compare the date the code was 
created with the date it was signed. if it was created 
BEFORE the signature expires, than the code is signed. it 
doesn't matter if the signature is expired when you do
that check!"
We need this ASAP as will many users of your plugin and 
signed .jar files.

I agree with initial observation by webbug. For example, object-signed code targetting
netscape JVM does NOT behave this way (i.e. signature continues to remain valid after
code-signing certificate expires.
Also, IE Authenticode-signed cab files make use of VeriSign Time Stamp service to
ensure that validity of signature persists after cert. expires. This is more work, and
there is currently only ONE such time stamp service generally available.
 - -Mitch

I also agree with webbug and others.  I am facing a similar situation in which our certificate has expired and 
now we are being pestered by the warning dialog.  This is unacceptable and unessisary.