Why is the applet startup slower since Java 7 Update 25?

Before a signed applet is run, the signing certificate is checked to ensure that it has not been revoked.

Before Java 7 Update 25 certificate revocation lists (CRLs) were used for this check. CRLs are lists containing no longer trusted certificates from one certificate authority (CA) and are updated periodically.

An often-repeated criticism is the time gap between two updates. Therefore Java 7 Update 25 changed the default setting for the certificate revocation check from CRLs to OCSP. See the Java 7 Update 25 release notes for more information.

OCSP stands for Online Certificate Status Protocol. It is a service provided by certificate authorities to check the revocation status of a certificate online. Although the check is more current, it is unfortunately much slower than a list lookup.

Additionally the OCSP check wasn't implemented very effectively. An OCSP request is issued for every signed jar file instead of for every certificate. SignLive! CC cloud suite applets consist of many jar files, but all are signed with the same certificate.

There are two options to speed up the startup time again.

The first is to optimize the applet caching parameters. Check the documentation on applet caching for more information. Cached jars are loaded without a signature check, because the signature was already checked before caching.

The second alternative is to change the setting back to CRL. You find the setting for the certificate revocation check in the Advanced options in the Java Control Panel(JCP).

This should only be an option in a closed and controlled environment.