I have signed my midlet with a certificate from thawte, (Thawte Premium Server CA). This works fine in most phones, but the series 60 models I have tried (6630 and 7610) fails in installation, because of some kind of security failure.
It turns out that the root certificate *is* installed, but with trust settings to "Program Installation: No, Internet:yes, Java installation: No". When I changed these settings and rebooted the phone, it installed ok. This however is something that is not reasonable to expect the end-user to do.
It seems that the only certificates with trust settings "yes" for java (on my 7610) are
"Verisign Class 3 Public Primary Certification Authority",
"Nokia Content Signing CA" and
"Geotrust CA for UTI"
I checked with Thawte if this certificate indeed really *is* a code signing cert and nothing else, and they responded :
"The root certificate for all our code signing certificates is the Thawte premium server ca certificate. This is the correct root certificate for the code signing.
This is not a known issue, however Nokia does have different trust settings for ssl, whether normal secure wap, http or for code signing. Unfortunately we do not know all the trust details of the different phones on the market, and we are trying to contact all mobile phone manufacturers for more information with regarding to ssl security. Thus at the current moment for exact trust details of different phone the best is to contact the phone manufacturers. "
My questions are :
Can Nokia (or any other developer) verify that Thawte Premium Server CA does not work for midlet installation ?
What phones are concerned by this - all series 60 phones or just some?
This is a pretty severe issue as I see it, the reason being that the midlet installation *fails*, not just that it becomes untrusted. That means that the Content Provider have to be 100% sure that the downloading end user has correct certificate settings - otherwise we need to send him an unsigned midlet, which we obviously not want to do.