> Setting up the keychain, signing the jars, and generating the > JNLP are easy > enough. I don't know if there's an "official" cert for > Jakarta, though, or > how the ASF Board would want to handle who has the password > to it. Maybe > Log4J would have its own? Would it make sense for the ASF to > be a CA so it > wouldn't have to pay Verisign/Thawte every year? That way > the ASF could > issue, for example, you a cert for signing Chainsaw, which > would be backed > by the "full faith and credit" of the ASF. (It would also > make it much more > managable if "you" turn out to abuse the cert and it needs to > be revoked.)
Hi Jim, Thanks for your response. It would be great if ASF was a Certificate authority, but I can imagine that's going to be a bit involved! Does anyone know if the ASF board has discussed these types of issues at all? Aside from Web start, I can imagine that signing jar's will be an important part of validating the authenticity of a package, rather than the standard published MD5 checksums I think that are in use at the moment. I'm not sure where to proceed here... thanks again, Paul --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
