On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote: <snip>
> > Authenticode is useless as a means of ensuring code is trustworthy > _independent_ of such an effort from the CAs. _All_ Authenticode > tells you is that someone was prepared to part with some cash and > they found a CA they convinced that they were who they said they > were. This is why the CA's Certification Practice Statement (CPS) is so important . . . and why, if one is going to accept a certificate, they *really* should read the CPS and understand exactly what process the CA went through to determine the authenticity of the DN. *Then* you should read the audit reports to see if the CA is really following the CPS. If that information is not available publicly available, he/she who accepts those certs deserves what he/she gets. In theory (at least if you trust the CA -- which I doubt few > possibly could in Verisign's case once it issued code-signing certs > under Microsoft's name to non-MS folk despite supposedly having extra > special checking mechanisms for such a large and obviously > "important" client), See above. an Authenticode "all clear" means that if you > were stupid enough to "trust" (in the big sense) a piece of signed > code the CA can help you locate the rat-bag who signed it should you > want to fry their balls... See above again. That is true IFF the RA did it's job. > > Anyone who ever thought Authenticode ever bought them more than that > was seriously delusional and obviously did not understand the basics > of code-signing as a "trust mechanism" (because it isn't one despite > what MS wants you to believe). This is all part of why Authenitcode > and ActiveX were always such fundamentally bad things and why the > decision to take this route showed MS lacked even the most basic > grasp of the fundamentals of security and trust. That Autheticode > has been "sold" (and worse, accepted by some) as anything else but a > poor-man's excuse for "nothing much" is somewhere between really sad > and criminal... > I think "nothing much" is being pretty generous . . . :-> Cheers, /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
