The recent Java 7 provides a (courtesy?) warning about something which has been in place for a decade...
Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced "to re-sign deployed JAR files annually" when the certificates expired.
→ http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html
A URL-based Time Stamp Authority (TSA) is usually provided by the issuing Certificate Authority (CA) to work with the same certificates the CA issued. For example, the digicert tsa url can be access as follows:
jarsigner -tsa http://timestamp.digicert.com [.. other options]
→ http://www.digicert.com/code-signing/java-code-signing-guide.htm
Time stamping with self-signed certificate may be an elusive goal since (1) a TSA timestamp needs to be an trusted arms-length transaction (which rules out "self timestamping"), and (2) typical TSA URLs are setup to work with the certificates provided by the same CA organization (i.e. the TSA URL does not process a self-signed certificate)
Update:
URLs to try for timestamping self-signed certificates:
- Symantec:
-tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp (per comment by brad-turek)
For a private network, one could consider an internal Timestamp Authority such as such as Thales (nCipher) Time Stamp Server (or historically OpenTSA)
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
