Java 7 update security changes

[Norman Gray]

Laurent, hello.

On 2014 Jan 16, at 08:39, Laurent Bourgès <bourges.laurent at gmail.com> wrote:

> Is is possible that IVOA provides one single trusted certificate to VO
> application deployers ?
> 
> Doing so, a single organisation (=IVOA) will pay the trusted
> certificate (to global sign for example) ~ few hundred dollars (=563$
> for 3 years) !

That's an interesting thought.

That would require (if I understand you) distributing such a certificate and its password in a fairly unrestricted way.  It's possible, I suppose, that this would be against the terms of issue of such a certificate (though I haven't checked).

An alternative model, which goes more with the grain of how certificates are expected to be used, would be to give such a certificate to the IVOA document librarian -- this is currently Sarah, but if I recall correctly Caltech are hoping to pass this on to another organisation.  The librarian could then sign the application and turn it round with the same sort of timescale as when one submits documents to ivoa.net/Documents.

This needn't be an elaborate process, since the librarian is probably at least acquainted with all of the VO developers who'd be wanting applications signed.   It would add a final 1--2 day delay to the release of a new application version, but that presumably happens sufficiently rarely that it's bearable.

All the best,

Norman


-- 
Norman Gray  :  http://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK