Nick FitzGerald <[EMAIL PROTECTED]> wrote: > FWIW, I think the biggest "problem" here is that a CA (Thawte in this > case) allows code-signing certificates with such ambiguous "names" as > "Browser Plugin"
They also have a very limited interpretation of "malicious code". Thawte have refused to revoke certs issued to firms spreading homepage hijackers, spyware and commercial RATs. Unless it actually formats your hard disc, they do not, apparently, consider it malicious. > Would they allow a cert in the company name "IE Plugins" too? See for yourself. www.ieplugin.com Given the ease of creating a misleading company name, and the unwillingness of CAs to police abuse of their certs, one can only conclude that the Authenticode process is 100% useless as a means of ensuring code is trustworthy. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
