Unfortunatly, in any software protection system everything eventually comes down to some comparison. All a certificate does is say that public key P is owned by entity E. If the program checks that E is "Bob's Software Company, Inc." there is nothing stoping the clever cracker from changing that string in the program (not in the certificate) to "Joe's Pirate Shop" and then using their own certificate. The program checks to make sure that the certificate is really "Joe's Pirate Shop" and your protection has been defeated.
The problem is that you cannot trust the person running the software. This does not come into play in something like SSL in a web browser because the user has a vested interest in maintaining that security. If a person wanted to accept invalid certificates from rogue websites they could just replace their Verisign CA certificates with their own CA certificates and the browser would be none the wiser. Jason ----- Original Message ----- From: "David C. Partridge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 24, 2003 11:50 AM Subject: RE: choosing the right algorithm > That's where X.509 certificates come in. They certify that YOU own this > particular public key. > > Dave >
