使用 VeriSign 的证书签署 Java ME MIDlet 是否有助于避免安全警告?
很长一段时间我都确信答案是肯定的。
但当我读完这篇文章后: http://javablog.co.uk /2007/08/09/how-midlet-signing-is-killing-j2me/ (特别是“MIDlet 签名过去是怎样的”部分),我不确定。
我正在开发一个 Java ME 应用程序,我的目标是消除所有有关网络访问和文件系统访问的安全警告。 请在这方面有经验的人提供权威意见来帮助我是否应该从 VeriSign 购买证书并签署我的 MIDlet 或使用其他方式?
I was sure for a long time that the answer is yes.
But after I've read this article:
http://javablog.co.uk/2007/08/09/how-midlet-signing-is-killing-j2me/
(especially "How MIDlet signing used to be" section), I was not sure.
I'm developing a Java ME application and my goal is to get rid of all those security warnings about network access and file system access.
Could please anyone experienced in this area help by providing an authoritative opinion whether I should buy a certificate from VeriSign and sign my MIDlet or use some other ways?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Javablog 的 Sam 的观点当然非常有道理。
MIDP 的 Versign 证书并非在所有手机中都可用。
当它们可用时,它们通常会使您的 MIDlet 属于“受信任的第三方”安全域。
如今,通常有 2 个安全域可以更好地访问权限:“运营商”和“制造商”。
显然,只有当您想将应用程序部署在由该运营商补贴的手机上时,让移动网络运营商签署您的应用程序才有用。
公平地说,运营商有时会使用可在多个国家/地区销售的手机上运行的证书来签署 MIDlet。
我不认为运营商如此强大以至于手机制造商证书从未包含在向公众出售的实际手机中。
如果您计划广泛部署您的 MIDlet,显然,仅由一家设备制造商签署它并不是一个好的策略。
签约策略通常与选择目标市场同时进行。
对于小型受控部署,威瑞信签名可能就足够了,特别是如果您的应用程序没有执行任何过于敏感的操作。
为了满足整个全球市场的需求,您将需要部署许多不同版本的应用程序,每个版本都根据目标手机进行签名。在这种情况下,您至少需要与多个移动网络运营商建立关系,并且与制造商的关系也不会受到损害。
签名问题只是大规模 MIDP 开发的碎片化障碍之一,但仅靠技术解决方案是无法解决的。
Sam at Javablog certainly has a very valid point.
Versign certificates for MIDP are not available in all phones.
When they are available, they usually make your MIDlet belong to a "trusted third-party" security domain.
These days, there are typically 2 security domains with better access to permissions: "operator" and "manufacturer".
Getting your application signed by a mobile network operator is obviously only useful when you want to deploy it on a phone subsidised by that operator.
To be fair, operators will sometimes sign MIDlets with certificates that will work on phones sold in several countries.
I don't think operators got so powerful that handset manufacturer certificates were ever not included in actual phones sold to the public.
If you plan on wide deployment of your MIDlet, clearly, getting it signed by only one device manufacturer is not that great a strategy.
Signing stategies usually go hand in hand with choosing which market to target.
For a small controlled deployment, verisign signing may be enough, especially if your application isn't doing anything too sensitive.
To address the entire worldwide market, you will need to deploy many different versions of your application, each signed according to the target handset. In that case, you will at least need relationships with several MNOs and relationships with manufacturers won't hurt either.
The signing issue is only one of the fragmentation hurdles of large-scale MIDP development but it's the one that can't be addressed with just technical solutions.