×

Discussion Board

Results 1 to 6 of 6
  1. #1
    Registered User
    Join Date
    Feb 2005
    Location
    Stockholm
    Posts
    10

    Certificate trust settings

    Hi,

    I have signed my midlet with a certificate from thawte, (Thawte Premium Server CA). This works fine in most phones, but the series 60 models I have tried (6630 and 7610) fails in installation, because of some kind of security failure.

    It turns out that the root certificate *is* installed, but with trust settings to "Program Installation: No, Internet:yes, Java installation: No". When I changed these settings and rebooted the phone, it installed ok. This however is something that is not reasonable to expect the end-user to do.

    It seems that the only certificates with trust settings "yes" for java (on my 7610) are
    "Verisign Class 3 Public Primary Certification Authority",
    "Nokia Content Signing CA" and
    "Geotrust CA for UTI"

    I checked with Thawte if this certificate indeed really *is* a code signing cert and nothing else, and they responded :

    "The root certificate for all our code signing certificates is the Thawte premium server ca certificate. This is the correct root certificate for the code signing.

    This is not a known issue, however Nokia does have different trust settings for ssl, whether normal secure wap, http or for code signing. Unfortunately we do not know all the trust details of the different phones on the market, and we are trying to contact all mobile phone manufacturers for more information with regarding to ssl security. Thus at the current moment for exact trust details of different phone the best is to contact the phone manufacturers. "

    My questions are :
    Can Nokia (or any other developer) verify that Thawte Premium Server CA does not work for midlet installation ?
    What phones are concerned by this - all series 60 phones or just some?

    This is a pretty severe issue as I see it, the reason being that the midlet installation *fails*, not just that it becomes untrusted. That means that the Content Provider have to be 100% sure that the downloading end user has correct certificate settings - otherwise we need to send him an unsigned midlet, which we obviously not want to do.

  2. #2
    Nokia Developer Champion
    Join Date
    Mar 2003
    Posts
    4,104
    This is answered already.
    Signing is a terrible process – often even useless. You need several code signing certificates. There is no one which fits all. Moreover, you bought the wrong one anyway. The same is true for my Nokia 6680.

  3. #3
    Registered User
    Join Date
    Mar 2003
    Posts
    8

    Re: Certificate trust settings

    By the way, to me the Thawte support just said the opposite - you need to sign with the Code Signing CA and not with the Server CA. But the Code Signing CA root certificate is not installed on Nokias!

  4. #4
    Registered User
    Join Date
    Feb 2005
    Location
    Stockholm
    Posts
    10

    Re: Certificate trust settings

    Well, in the end we skipped Thawte, and go with Verisign on a few devices. Most nokias have pretty nice untrusted-settings : "Session" for networking which is ok. There are a few exceptions, and for these we sign the midlet with Verisign.

  5. #5
    Registered User
    Join Date
    Mar 2003
    Posts
    8

    Re: Certificate trust settings

    If you sign the midlet with Verisign, do you get the "blanket" (always allowed) permission available for Network Access, and on which models? We currently can't get it, even if midlets are signed (with a Bluetooth-uploaded Thawte root cert) and appear as "trusted third party" (using Nokia 6600 and 6630). Some say that you could get that with older 6600 firmwares, but Nokia removed it.
    Any indication of models (Nokia or other brands) where signed midlets can certainly get blanket access to network would be much appreciated.
    Thanks!

  6. #6
    Registered User
    Join Date
    Feb 2006
    Posts
    15

    Re: Certificate trust settings

    How can we know whether public primary certificate authority authorizes PIM access or not.
    in that matter how to verify any certificate to what features it provides permissions?

Similar Threads

  1. Duplicate APN settings after OTA configuration (series60)
    By sidshaw in forum Smart Messaging
    Replies: 0
    Last Post: 2005-07-05, 14:04
  2. Nokia series 40 phones: cctivating provisioned settings
    By seancronin in forum OMA DM/DS/CP
    Replies: 7
    Last Post: 2004-01-07, 17:46
  3. How do I generate my own content certificate for a 7650
    By jbb1003 in forum Symbian Networking & Messaging (Closed)
    Replies: 1
    Last Post: 2002-12-05, 12:13
  4. Problem sending GPRS settings
    By maronk in forum Smart Messaging
    Replies: 1
    Last Post: 2002-09-24, 06:28
  5. Please help implementing WTLS
    By Nokia_Archived in forum WAP Servers
    Replies: 1
    Last Post: 2002-05-20, 13:27

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •