Duane wrote: > [EMAIL PROTECTED] wrote: > > > I definitely feel better about installing software signed by someone > > whose identity I know. The authentication of the software publisher, > > signing of the software, and revocation status checking of the > > publisher's certificate can mitigate significant risk. > > If you know the person or company issuing the signed code this causes
> the CA and PKI systems to be irrelevant, all you need to do is check the > fingerprints of the company signing it. PKI/CAs are supposed to allow > you to trust formerly unknown parties trust each other. One role of a CA is to authenticated unknown parties (software publishers in this discussion) as their proper legal entity. If I know the publisher that may assure me to install and trust the software (or not!). If I don't yet know the publisher I can still know that they are being honest about what the software does (given a CA policy that requires proper disclosure) and I feel assured that I have recourse against the publisher if they harm me. -- My post and comments may represent my personal thoughts at the moment but they should not be taken to represent anyone else. _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto