> If a control has a digital > signature, it means that the control has not been > tampered with and is guaranteed to be exactly the same > as when the software publisher created it.
C'mon! This is assuming a secure PKI implementation, where you are assured that the Private Key has been maintained securely, and actually used by the party it was issued to. Microsoft's 'Authenticode' has emphatically failed to meet this description, ashas been demonstrated a number of times. The most dramatic with the distribution of compromised components, signed - apparently - by Microsoft (!!) with a legitimate but falsley issued key. All the more disastrous, as MS left out a certificate -revocation mechanism for 'Authenticode!' http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp -- Jeremiah Cornelius _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
