A Security Warning dialog is displayed referencing a Digital Signature error |
|
Article: P24419 |
|
The information in this article applies to:
Product: ToolBook
Component: DHTML / Applet Certificate
Product
version(s): ToolBook
9.5+
PROBLEM
When
viewing DHTML content from ToolBook, a Security Warning dialog is displayed
referencing a Digital Signature error.
In addition, if you click on the MORE INFORMATION link within the dialog, this is shown:
DETAILS
The dialog
in question is displayed by the Sun Microsystems Java Runtime Engine (aka Sun
JRE) browser plugin, in response to the loading of a Java Applet created by
SumTotal, for use in ToolBook lessons.
It seems to imply that the applet has expired and it no longer valid or safe to use.
Although it is true that users may see this warning
message when viewing ToolBook DHTML content, the warning message is not an
indication that the ToolBook Java applet is invalid. It is simply an indication
that our signing period has expired (this is the period where we can
create new applets using the issued signing certificate). It is not an
indication that the applet has expired.
This dialog is likely confusing
to end-users who have no idea what applets are, however ToolBook has no control
in this matter. It is the Sun JRE which is deciding to show
this dialog, and it is beyond ToolBook's control to instruct it not
to.
GENERAL BACKGROUND/DETAILS ABOUT JAVA APPLETS
Java applets
are often digitally signed to provide the user a level of assurance that the
applet comes from a known and trusted source, because executing Java code is a
potential security risk. This process is similar to having a physical document
signed by a Notary Public as verification that the person executing the document
is who he or she claims to be. In this case, the Notary Public would be
analogous to the Certificate Authority or CA who signs the
certificate.
Digital certificates used in the signing process are valid for a specified period of time,
typically for one to three years. This allows an organization such as SumTotal
to sign our shipping files (Java applets in this case) for that time period and
allow the end-user to trust that the applet had indeed been provided by
SumTotal. If the Java applet is created/signed within the certificate's valid
signing period, the signature is valid indefinitely.
However, the Sun JRE that is used to
run Java applets within a browser, cannot verify if the certificate was actually
signed during that valid period, if the current date is beyond that time period.
Therefore, the browser dialog reports that, although the applet was properly
signed with a trusted certificate, the certificate itself has expired.
It
is a common misconception that an applet signed with a certificate that has
expired is no longer safe to download or use. This is untrue. As long as the
applet was signed when the certificate issued by the CA (Certificate Authority)
was still valid, then the applet is valid according to the specification for
signing Java applets. Also, according to the specification, it is the
responsibility of the Sun JRE to warn the user if an applet has been modified
after it was digitally signed.
As long as the Sun JRE does not return an
error stating that the applet has been modified since it was signed, the applet
is still valid and safe to run.
As long as the user clicks on the RUN option in the dialog, the Applet will function just fine. Additionally if the user first chooses Always Trust Content from this Publisher, they'll never be prompted with a dialog from SumTotal again.
DECIDING IF JAVA IS NEEDED IN YOUR
LESSON
Actually, by default, Java is not used within ToolBook DHTML
content. Java will only be utilized by a ToolBook lesson if you turned on a
feature in ToolBook which demands Java be used.
The features which require Java include the following optional settings:
If none of those features are turned on, then no Java will be used within the lesson and therefore you'll not see a Digital Signature dialog.