I'm afraid signing software is multiple levels of bullocks. Imagine a user just clicking yes when something states "Unsigned software, do you really want to install?". Imagine someone working at either a software or a signing company. Imagine someone owning a little bitty software company that's perfectly legitimate and also uses the key to sign some of his maleware.
Software signing isn't usable for regular end users, experienced users already have hashes to establish integrity up to a certain level, guru's and security professionals compile from source instead of trusting some binary. And yes that does exclude hidden-source software, it's the only sensible thing to do if you don't want trust but real security! -Lewis 2011/12/7 Jon Callas <[email protected]> > > On 7 Dec, 2011, at 11:34 AM, ianG wrote: > > > > > Right, but it's getting closer to the truth. Here is the missing link. > > > > Revocation's purpose is one and only one thing: to backstop the > liability to the CA. > > I understand what you're saying, but I don't agree. > > CAs have always punted liability. At one point, SSL certs came with a huge > disclaimer in them in ASCII disclaiming all liability. Any CA that accepts > liability is daft. I mean -- why would you do that? Every software license > in the world has a liability statement in it that essentially says they > don't even guarantee that the software contains either ones or zeroes. Why > would certificates be any different? > > I don't think it really exists, not the way it gets thrown around as a > term. Liability is a just a bogeyman -- don't go into the woods alone at > night, because the liability will get you! > > Jon > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
