Hi Christian,
In the first meeting, I was not able to clearly specify several things I wanted to do related to certificate.
I was trying to say, if we are using SSL certificate directly from website to verify signature, then it would put a restriction on who can upload a script on a website. Since signing is done using private key and verification must be done using corresponding public key, and since only website owner will have access to private key, only he will be able to sign scripts which can be verified using SSL certificate of that website.
Also, what if website is not having any SSL certificate but signer is having certificate signed by root. There are several utilities available such as keytool that can make CSR(Certificate Signing Request) and can get user certificate signed by root. Such certificates are stored in keystore with the corresponding private key. So, user can have certificates signed by root in their keystore. We can access that certificate while we are signing script.
So, my proposal is, at time of signing script, we can get the certificate that is already signed by root if it is signed by root otherwise self-signed certificate. After getting this certificate, we can append certificate with signature, with script file. So, at verifier side, we can directly check whether the attached certificate is signed by root or not and ask user to act accordingly.
I hope I am making myself more clear now.
I am also working on how to add Preference Page and descriptors in eclipse. I am having several doubts in those things. vogella site contains description of preference pages for Eclipse 3.x. And we are probably targeting for 4.x. So I am having several problems in saving preferences. I am posting it shortly.
Thanking you,
