David-Sarah Hopwood <david-sa...@jacaranda.org> writes:

>Huh? I don't understand the argument being made here.

It's a bogus argument, the text says:

  He took a legitimate software package and removed the signature of the
  digital certificate it contained, then installed the package on his
  computer. The Installer application didn't indicate that the certificate had
  been modified.

The certificate wasn't modified, they just stripped the signature from the
executable.

  "Only an expert will be able to detect a problem," Schouwenberg said. "And
  all Microsoft will tell you is that the file is not signed."

And what else should Windows say?  "We put this through our time machine and
noticed that at some time in the past it was signed and now it isn't"?

The rest of the story isn't much better:

  The Stuxnet worm, which surfaced last month, used fake Verisign digital
  certificates

No, they were genuine certs, just in the wrong hands.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to