certificate

[naeko]

i have one question. i don´t really understand how the certification proccess works:

here you can find how to create your own cert and how to sing your midlet.

http://www.spindriftpages.net/pebble...275880301.html

i´ve done it. it works fine. but what is the sense of such certs?
the mobile user should load my cert, my app and can use it. But I´m not trusted , so i can write absurd code in my midlet?!
what about CA, where you have to pay about 400$?
what are the steps?
1)send CSR
2)CA generate you a cert.
3)?
and then?
the same procedure?

what i want is:
the user should load only my application e.g. internet(it´s already signed with e.g. verisign. Verisign is in almost all mobiles as root cert.)
is this possible?

[njzk2]

the sense of such midlet is to identify the midlets that come from you, and only you
no one can issue certifications with your signature but you
it means for example that if you are trusted by someone, it can considere any applications comming with your certificate as trustable (and turn to you if things go wrong)
to get your app signed by a trusted 3rd part is surely more complicated

ps : it is basically the same system as ssl certficate, it assures you that the creator of the app is the person you think it is, but anyone can create one

[naeko]

ok. i understand the sense of certs.
but how to handle with it?
i have cert and
i have signed with this cert. my app.
now i have to copy both cert an app to my mobile?
is it not a little bit circuitous?
is there any other possibilities?
e.g:to import cert in jar file so that user should only load one file on his mobile?

[traud]

Normally you send a CSR to a CA which CA certificate is on your target device. You sign your JAD. Then the user downloads the JAD + JAR and everything is fine. Because the CA is known to your device already, no need to download the CA certificate.

The above procedure is a trick. It is a self signed CA. This CA is unknown to your target device. To make it known, the target device has to know (and load) your self signed certificate. This is a perfect test, so your application works and everything is as expected. This trick works on some Nokia Series 60 only. Actually I consider it a bug because the MIDP 2.0 specification says, that self signed MIDlets are not allowed.

The other question is: What is the benefit of signing? I see not so much, depending on your required permissions.

If I understand you correctly you want to do secure internet transmissions. For this no signed MIDlet is needed. A signed MIDlet gives you some more permissions (not many more) and avoids some warnings (not very much).

[naeko]

Thanks for reply

Normally you send a CSR to a CA which CA certificate is on your target device. You sign your JAD. Then the user downloads the JAD + JAR and everything is fine. Because the CA is known to your device already, no need to download the CA certificate.

it makes sound sense what you´re writing. But the CSR i send to CA is only the information about me (or the company). It means that I get a real certificate without sending written application i want to sign. So behind this signed midlet could be an absurd code, so there is no safety for user even application is signed?!

The above procedure is a trick. It is a self signed CA. This CA is unknown to your target device. To make it known, the target device has to know (and load) your self signed certificate. This is a perfect test, so your application works and everything is as expected. This trick works on some Nokia Series 60 only. Actually I consider it a bug because the MIDP 2.0 specification says, that self signed MIDlets are not allowed.

well, you´re right. I tried it with Nokia 7610 and i was suprized how it is easy to add/delete certificates. I thought, you´re not allowed to do it. Do you know how the certificates come on devices (who is authorized?mobile developer like nokia, motorola or mobile network operator like O2, T-Mobile?)

The other question is: What is the benefit of signing? I see not so much, depending on your required permissions.

If I understand you correctly you want to do secure internet transmissions. For this no signed MIDlet is needed. A signed MIDlet gives you some more permissions (not many more) and avoids some warnings (not very much).

so is there anybody who signes own apps?
which mobiles supports root certificates?

[traud]

there is no safety for user even application is signed?!

With the original MIDP signing, yes. You can even sign JARs of other programmers. But in reality most official CAs require more than a CSR…

I tried it with Nokia 7610 and i was suprized how it is easy to add/delete certificates. I thought, you´re not allowed to do it. Which mobiles supports root certificates?

You mix SSL/TLS/WTLS and code root certificates. It is normal to allow new SSL certificates, every browser on the destop allows this and many mobile phones do so, too. Not all but at least whole Nokia world. Code certificates (for Symbian OS and J2ME) are different. For example for J2ME, the MIDP on GSM/UMTS the specification disallows new root certificates.

Do you know how the certificates come on devices who is authorized?

Manufacturer and operator although operators should use the SIM as WSIM.

so is there anybody who signes own apps?

Manufacturs, Operators and those who need a special permission or want to limit the warnings. For example for JSR-75 (File & PIM) it is very useful.

[naeko]

sorry that i always have a question on your reply

With the original MIDP signing, yes. You can even sign JARs of other programmers. But in reality most official CAs require more than a CSR…

i think verisign is an official CA, which exists on much mobiles (Verisign 1,2,3,4) and they only wanted CSR from me. absurd...

You mix SSL/TLS/WTLS and code root certificates. It is normal to allow new SSL certificates, every browser on the destop allows this and many mobile phones do so, too. Not all but at least whole Nokia world. Code certificates (for Symbian OS and J2ME) are different. For example for J2ME, the MIDP on GSM/UMTS the specification disallows new root certificates.Manufacturer and operator although operators should use the SIM as WSIM.

In some mobiles i have options "certificate management" where i find differtent certificates(geotrust, thawte, verisign, nokia, etc.). are these SSL or root certificates? Other mobiles don´t care what application you install. they don´t even alert you about untrusted midlet (e.g. Nokia 6210) and you can´t find nowhere an option of "certificate management" to see existing certificates. Are there special series of mobiles or does it have something with symbian devices to do?

Manufacturs, Operators and those who need a special permission or want to limit the warnings. For example for JSR-75 (File & PIM) it is very useful.

Are there other warnings which user can switch off using signed midlet except JSR75???

[traud]

First of all trusted MIDlets are a MIDP 2.0 only concept. Trusted MIDlets will work on MIDP 1.0 devices but there is no certificate concept. The certificate managment of phones is very heavy manufacturer dependent. Nokia (all Series) shows all certificates and mix them all in one place. You are able to see in the options if it is a SSL, Symbian or J2ME certificate. Some are for all, some for one.

Which permissions are given to a 3rd party trutsed and which to an untrusted MIDlet depends on phone model (and firmware). Here on my Nokia 6680 it is useless; except for JSR-75. On other models you get more permissions; on others less. And not all phones have the same CAs. Unknown CAs lead to a rejected MIDlet instead of an untrusted MIDlet. And so on…only sign your MIDlet if really, really useful. At least offer two JADs: One untrusted.

Nokia 6210? It has no J2ME.

Verisgn: I said most. Not all.