Re: JCE Code Signing Certificate
* Charles Fry:
> Well, I may not entirely understand your question, but here is my
> understanding of the situation, as supported by the document How to
> Implement a Provider for the JavaTM Cryptography Extension.
Unfortunately, this document doesn't explain why the certificate is
> In order to be trusted, the security provider must be signed with a
> key that was certified by the JCE Code Signing Certification
> Authority (see Step 5 of the document above).
So why can't we ship trusted root certificates for a Debian Code
Signing Certification Authority, or trust everything which is present
in the file system?
I have the strong suspicion that this certificate just asserts that
you have signed the CSR form and promised to comply with U.S. export
regulations, and nothing else. Maybe this was the result of a deal
between BXA/BIS and Sun which permitted Sun to export their
implementation. We don't need to follow such a procedure because
Debian has different means to comply with the regulations, and we do
not distribute Sun's implementation, AFAIK.