Risto Helin's Forum Nokia Blog
http://blogs.forum.nokia.com/blog/risto-helins-forum-nokia-blog
<p>Works for Forum Nokia where his task is to represent Nokia in Symbian Signed and Java Verified.</p>
Rippe2009-11-24T01:47:43ZJava ME, Signing and Pop-ups
http://blogs.forum.nokia.com/blog/risto-helins-forum-nokia-blog/2009/10/30/java-me-signing-and-pop-ups
<p>
There are two major problems with Java ME and application signing:
</p>
<p>
1. Why does my application not install after I have signed it?
</p>
<p>
2. How do I get rid of the pop-ups in my application?
</p>
<p>
The first one I answered through Java Verified some time ago, with a presentation highlighting the problems encountered with Java ME applications not installing after they have gone through Java Verified. See <a href="http://www.javaverified.com" target="_blank" title="Why an unsigned MIDlet may stop working when signed.">here</a>, through the front page of Java Verified, if you want to read the presentation. Same presentation can also be accessed through the recourses and dowloads section of the site when I'm taken off from the main page.
</p>
<p>
The second, about the pop ups, is also quite straight forward thing to answer. Maybe I will do an other presentation and place it to Java Verified as well at some point. But in the mean while this blog will have to do. Unfortunately a short story becomes quite long when you dig into details, here I feel it is necessary to go a bit deeper.
</p>
<p>
In Java ME there are four domains in which the application can belong to. The number and the nature of pop-ups which the application presents depends on the domain and how the domain has been configured in the device. The access to different domain depends on if the application is signed or not and if signed, who signed it. Complicated? Not really.
</p>
<p>
Four domains:
</p>
<p>
1. Manufacturer domain - for manufacturer signed applications - no pop ups.
</p>
<p>
2. Operator domain - for operator signed applications - no pop ups.
</p>
<p>
3. Identified 3rd party protection domain (same as Trusted Third Party domain) - for Java Verified signed + Thawte and VeriSign code signing certificate signed applications - pop ups (same amount, no difference between Java Verified or Thawte or VeriSign)
</p>
<p>
4. Unindentified 3rd party protection domain (same as untrusted third party domain) - when the application is not signed - pop ups.
</p>
<p>
General rule is that Nokia signs only applications which Nokia owns and is liable of. In many cases same applies to Operators as well. For getting your application signed by Java Verified, there is a clear set of requirements which can be found from the <a href="http://www.javaverified.com" target="_blank" title="Java Verified">Java Verified web site</a>. Same applies to the code signing certificates from <a href="http://www.thawte.com" target="_blank" title="Thawte">Thawte </a>and <a href="http://www.verisign.com" target="_blank" title="VeriSign">VeriSign</a>, information can be found from their web sites. For leaving the application unsigned is your choice.
</p>
<p>
The main difference between the three is that Java Verified is a testing and signing process after which your application is signed. Thawte and VeriSign offer certificates which can be used to sign content and the creator of the content has to test the applications by them selves. I see two big benefits to using Java Verified. First is that if you are not 100% of your own internal QA (Quality Assurance) process', then Java Verified offers impartial testing. The other is that the signature is valid for ten years. The signature with the code signing certificates is only valid as long as the signing certificate is. Which means maximum of three years.
</p>
<p>
Just to take on example about the code signing certificates, if you buy a two year code signing certificate and sign something six months after you have received the certificate, the signature is valid for a year and a half. If you sign something 20 months after you received the certificate the signature is valid for four months. This is important to understand especially if you sell something. Since after the application's signature grows old, the application will not install. Most likely you will not get that problem with Java Verified signing your applications?
</p>
<p>
Then the pop ups. Generally you should get less pop up with signed applications. Like according to the MIDP 2 specification, unsigned applications ask for permission to make a HTTP connection every time it is established while running the application. Applications signed to the Identified Third Party domain only ask it once while running the application.
</p>
<p>
There are also application settings which are different between the two. In S60 devices when going to the App. manager and opening a Java ME application reveals a list of settings which can be made. A signed application can have "Allways allowed" status for a certain features.
</p>
<p>
The settings which can be made are determined by the settings of the device. If you work with nonoperator variant devices, then settings generally follow the specifications. With operator variants there may be differencies. Our Wiki tells more. Please have a <a href="http://wiki.forum.nokia.com/index.php/Category:Signing_and_Certification" target="_blank" title="Java ME: Signing and Certification">look</a>.
</p>Java2009-10-30T09:48:13ZRippeThat time of the year
http://blogs.forum.nokia.com/blog/risto-helins-forum-nokia-blog/2009/05/26/that-time-of-the-year
<p>
The time of Java One.
</p>
<p>
This year I feel things are bit different than in the past. Java Verified has released a new version of the criteria which cuts down the cost of getting an application title signed by 50%. That is out there and has been for a little while.
</p>
<p>
But that is not all. There are new services coming out. I will be talking about them and Java application signing in a BOF at Java One (BOF-3990, Signing Java™ Platform, Micro Edition Applications and the Renewed Java Verified Program). Its Tue the second of June, 20:30.
</p>
<p>
Then we have a<a href="http://wipjam.com/java-verified/" target="_blank"> mobile Jam session at Java One</a>. First you can try to stump the experts in a quiz and win some tee's. Following we'll have an unpanel session and some pitstops allowing you, our dear developers, to get your voice herd and get the discussion started.
</p>
<p>
I'll see you there!
</p>Java2009-05-26T09:51:51ZRippe