×

Discussion Board

Results 1 to 11 of 11
  1. #1
    Registered User
    Join Date
    Feb 2006
    Location
    Bonn, Germany
    Posts
    16

    Thawte Premium Server CA

    Hi!

    Would you recommend signing MIDlets with a Javasoft code Signing Certificate from Thawte.com? They're less than half the price of VeriSign certs, and many of our test phones here have the corresponding root certificate on them.

    The question regards Nokia phones AND other Vendor phones as well. But an answer such as "Support is good/poor/excellent" on Nokia devices will suffice.


    The Root CA Certificate I mean is the following:

    -----BEGIN CERTIFICATE-----
    MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
    FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
    VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
    biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
    dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
    MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
    MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
    A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
    b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
    cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
    bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
    VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
    ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
    uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
    9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
    hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
    pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
    -----END CERTIFICATE-----

    ***
    Thawte Premium Server CA

    Format:
    X.509

    Issuer:
    Thawte Consulting cc,
    Certification Services Division,
    ZA, Western Cape, Cape Town

    Valid from:
    01/08/1996

    Valid until:
    31/12/2020

    Algorithm:
    MD5 RSA

    Serial Number:
    01

    Fingerprint SHA1:
    627F 8D78 2765 6399 D27D 7F90 44C9 FEB3 F33E FA9A

    Fingerprint MD5:
    069F 6979 1666 9002 1B8C 8CA2 C307 6F3A
    ***
    Moritz Voss
    MEF Mobile Entertainment Factory
    [url]http://www.m-e-f.net[/url]

  2. #2
    (Retired) Nokia Developer Admin.
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    4,664

    Re: Thawte Premium Server CA

    I can't comment about Thawte or Verisign but I just wanted to let you know that Java Verified is a requirement to access our sales channels. So the down side of both VeriSign and Thawte is that they do not offer access to our sales channels.

    Ron

  3. #3
    Registered User
    Join Date
    Feb 2006
    Location
    Bonn, Germany
    Posts
    16

    Cool Re: Thawte Premium Server CA

    We're only marginally interested in Nokia sales channels, but thank you for the information.

    Primarily, my question was geared towards Trusted Third Party domain MIDlets signed in-house by a developer using a code signing certificate from either Thawte or verisign.
    Moritz Voss
    MEF Mobile Entertainment Factory
    [url]http://www.m-e-f.net[/url]

  4. #4
    Registered User
    Join Date
    Jun 2005
    Location
    Iceland
    Posts
    5

    Re: Thawte Premium Server CA

    My problem with Thawte certificates is that on those nokia 60 series handset i've installed my midlet on I had to manually change trust settings on the thawte root certificate before I could install the midlet. That kills any distribution possibilities.

  5. #5
    Registered User
    Join Date
    Feb 2006
    Location
    Bonn, Germany
    Posts
    16

    Re: Thawte Premium Server CA

    Quote Originally Posted by johanngudmundsson
    My problem with Thawte certificates is that on those nokia 60 series handset i've installed my midlet on I had to manually change trust settings on the thawte root certificate before I could install the midlet. That kills any distribution possibilities.
    Wow, thanks for that info, that's very valuable indeed. We opted for Verisign; which sucks not that much less, because Samsung and Motorola are completely out of the loop for them. Sad story...
    Moritz Voss
    MEF Mobile Entertainment Factory
    [url]http://www.m-e-f.net[/url]

  6. #6
    Regular Contributor
    Join Date
    Feb 2004
    Posts
    90

    Re: Thawte Premium Server CA

    It is also carrier dependent. For example, Samsung and other devices on Sprint only support Verisign. From what I've seen, Verisign tends to be supported in more places, so if you can only get one, it's a better bet.

  7. #7
    Nokia Developer Expert
    Join Date
    Jun 2005
    Posts
    923

    Re: Thawte Premium Server CA

    Hi all,

    Just as a practical tip, if you sign your application through Java Verified, you won't suffer as much with the lack of root certificates on the phones as you're now. The reason is that the .jar file is gonna be signed with Unified Test Initiative root certificate, which is present in the majority of phones, both from Nokia and other vendors.

    You don't have the same guarantee with standard certificates.

    Daniel

  8. #8
    Super Contributor
    Join Date
    Mar 2006
    Location
    Phoenix, AZ. USA
    Posts
    556

    Angry Re: Thawte Premium Server CA

    Hi,

    We have a verisign code signing certificate, works well on MOST devices we have run into until now.

    On the Nokia Series 40 6101 With TMobile and 5.99 TZones, our midlet cannot access the internet. Now before I get a barrage of useless comments about TZones and the blocking of port 80 I'd like to point out that I am aware of TMobiles behaviours with different Devices and http connections, i.e. midlet works on a branded unlocked Nokia 6010 from TMobile using sim card but does not work on branded locked Nokia 6101 using same sim card.

    on the 6101, their is a setting if your application is selected, under application->options stating "App. Access" but it is greyed out, when you click it, you get an info message "Not available for this application". I tried signing the application with the Verisign cert, but when trying to download, i get an error "certificate not on phone or sim"

    i read through the forums, that this may be caused by lack of CA certificate on device, for instance device lists "Verisign class 3 code signing 2001 CA" as being installed, where the intermediate in our certificate is "Verisign class 3 code signing 2004 CA". So this might be an issue, I tried manually installing the CA certs, but cannot get the devices browser to download them (might be IIS, even though I set the correct mime type) so this failed.

    i read through the forums, that you may be able to overcome the "app. access" feature being greyed out, by manually installing the application using infrared and pc suite, installation worked, but still have same issue of "app. access" being disabled. so i manually copied the jar and jad over using infrared, the jad file is not a recognized file type on device, so is useless to try and run/install it (BTW also tried this approach with CA certs, with same results) but you can install the jar, though after install, app. access is still disabled

    when you run the application, and it attempts to connect to internet, the system throws an info message of "Application access set to not allowed". In the Nokia manual for this device, they state that "app. access" needs to be set or modified for an application to access the internet, but what is the use, if the user is not allowed to change it. Thus basically in the devices current state, a java app will run, but never be allowed to access the internet.

    i browsed more forums, reading all about tweaking the access points, which helped some people with the 6101, but did not help me, nor how could it, think about it, the applications permissions are unchangeable, how would adding an access point, overcome the issue with the java midlet not even being able to open the http connection, before, or as you attempt to open the connection using code, the user is prompted to allow disallow access, but this, and the cr$ppy samsung, dont even prompt the user, they just automatically throw a security exception (yes the network code is on a different thread, even experimented with same thread, just in case, to no avail) so none of the access point settings helped. if anyone reads this, that has a nokia 6101 that was originally branded as TMobile and has a midlet where the "app. access" is not greyed out, i would love to hear it, as well as how it was accomplished.

    back to the signing, when i signed my app, and manually copied to device, i.e. no OTA, when attempting to run, i get certificate not valid error. I tried signing with no permissions, with permissions as optional, with permissions as both optional and required, to no avail.

    i tried an unsigned version, with no permissions, as well as with the http permission as required, hoping this might enable the "app. access" but did not work.

    so does anyone know, how to sign an midlet to be installed on a tmobile branded device, has anyone ever succeded? if yes, did you manually install the CA certificates, or were they already installed?

    Is it true to assume that no midlet can be signed for tmobile, unless it is JavaVerified signed? If this is true, then what the heck, as the 6101 is one of the lead devices to be tested on, for JavaVerified signing, how can you build you application correctly, so it will run bug free on 6101, if you cant even test on it.

    Anyone out there with 6101 devices please post your results to this little questionaire.

    1. Carrier: XXX
    2. DataPlan: XXX
    3. Geo. Location: XXX
    4. Model: 6101
    5. Firmware: i.e. get it by entering *#0000#, please state date, version, and RM if any
    6. Do Midlets you installed, acces the internet, with no error? yes/No
    7. Do Midlets you installed, under options, have the "app. access" greyed out. Yes/No
    8. When running one of these MIDlets, are you prompted to allow the Midlet to access the internet? Yes/No

    Does anyone know any magic codes, to enable the java midlet access to internet, or jad attributes, etc.

    I have also read, that just being javaverified, may not help, as some manufacturers and carriers, give and or take away various permissions at their will. It would seriously suck to get javaverified, just to find out that it still does not give the app acces to the internet.

    Any help, information, comments, feedback, results to questions, would be greatly appreciated.

    PS: If anyone has a javaverified signed app that makes httpconnections, i would love to download, and test it on 6101, to see what the outcome is, to see if java verified really works on this device. also if others have run into the same issue, with tmobile and their app working on some devices, but not on other tmobile nokia devices, or a signed app working on some devices, but not other tmobile devices, please list them

    Sincerely,
    Jason Glass
    http://IChiBanComputers.Com

  9. #9
    Registered User
    Join Date
    Jun 2006
    Posts
    2

    Re: Thawte Premium Server CA

    The Nokia 6101 (t-mobile branded device) is not provisioned correctly by the T-Mobile carrier, neither is the 6103. These T-Mobile devices can not support http access from within a MIDlet. A log shows that it is not a security exception due to an invalid signature but a settings issue that is uncorrectable except by T-Mobile.

    But I would like more information about signing T-Mobile handsets. How is it done? They don't accept a verisign certificate. How do we sign them to test applications for T-Mobile?

  10. #10
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Thawte Premium Server CA

    You should contact T-Mobile developer support on this security policy issue.
    Unfortunately I do not have a good URL for you to go to.

    Hartti

  11. #11
    Super Contributor
    Join Date
    Mar 2006
    Location
    Phoenix, AZ. USA
    Posts
    556

    Re: Thawte Premium Server CA

    some tmobile devices support using verisign certificates for code signing, unless i am mistaken...but alot of the new devices, I .e. straight from shelves seem to give issues with signing, as well as you guys mentioned - http access. if you search my posts, you'll find a nice post with which i finally got more clarification on the issue, these carriers!

    hartti, do you have the link for tmobiles developer program (if it exists) cus it's kinda hard to find it seems.

    good luck
    Jason Glass
    http://IChiBanComputers.Com

Similar Threads

  1. J2ME and Server communication
    By johanmeyer in forum Mobile Java Networking & Messaging & Security
    Replies: 7
    Last Post: 2004-07-07, 00:26
  2. Nokia Activ Server 2.1 - problems
    By choumanb in forum WAP Servers
    Replies: 0
    Last Post: 2003-05-16, 07:34
  3. Test GPRS modem with Microsoft SQL Server 2000
    By chadahamat2704 in forum Digital Rights Management & Content Downloading
    Replies: 0
    Last Post: 2003-03-13, 07:36
  4. Problem Starting the server
    By Nokia_Archived in forum WAP Servers
    Replies: 1
    Last Post: 2002-05-14, 18:03

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×