Custom plug-in trust model

I want to deploy custom plug-ins using the Widget Catalog but need to understand the trust model that is employed.

I have successfully created a self-signed certificate and signed the jars that make up a custom plug-in. I have also successfully deployed this plug-in using the Widget Catalog and an NSF update site. However, when the plug-in is provisioned, users see a prompt indicating that the plug-in is signed but not trusted. I want to understand how to avoid this prompt. If I get my self-signed certificate signed by a top level CA with an Internet Certifier present in the user’s Personal Address book (like VeriSign), will the provisioning code grant trust and prompt the user accordingly (this plug-in is signed and is trusted) or avoid this prompt completely?

Aside from getting a CA (present in the Personal Address Books) to certify my code signing certificate, is there any other way to grant trust?

Any help is appreciated.

Subject: 8.5.1 Policy

Seeing this somewhat after the date of posting.

There was no way I knew of in 8.5 but, if I understand your question properly, you can do this in 8.5.1 via a policy.

In the 8.5.1 Domino Directory look at the Security Settings policy document. At the bottom of the “Keys and Certificates” tab there is a section called “Administrative Trust Defaults” where you can specify the internet certificates and/or internet cross certificates to deploy to your end users using policies. You can use this to deploy signed Java extensions to end-users and have them install without the user being prompted.