Can someone explain the MIDlet security picture with Sprint? I've only found vague references to Verisign certificates and the "developer root" (whatever that is), and step-by-step instructions for specific processes... but nothing seems to be explained.

Coming from no Sprint PCS J2ME experience at all,

a) I'd expect that the phone knows some set of root certificates for trusted signing authorities. Obviously it knows Verisign's root certificate. Is the "developer root" also a root certificate, or something else?

b) Once a MIDlet is signed, I would think that the phone can verify who wrote it and therefore ask the user to make an informed decision about permissions. However, I don't ever see that happening with existing applications. Sprint seems to have skipped a step here. It appears as if a signed MIDlet can just *automatically* do anything it feels like. That would mean that writing malicious code on a phone is still possible, but just requires a $400 fee paid to Verisign!

c) I would hope that there's some way to add a root certificate, so that it's possible to use a self-signed certificate for development purposes on the phone. However, I'm guessing that this isn't possible given that Sprint is just casually telling everyone to go blow $400 left and right.

Some of the Sprint documentation suggests that it's necessary to BOTH enable the developer root and sign the code using a certificate from a trusted authority (Verisign, in this case). If that's the case, then how does anyone ever deploy code? Does everyone really ask all their customers to sign up for an account with developer.sprintpcs.com and enable developer root on all their phones? That seems hard to believe!

I must be missing something. Would anyone care to fill me in?