Ian G wrote:
By the following snippet referring to a Slashdot post, it seems that someone registered a company called "Click Yes To Continue" and then proceeded to buy a cert and create some softwhere!
Yes, certs do nothing other than say you have been checked out to be who you say you are. They are not the CIA, it appears to me their vetting process is pretty rudimentary.
This way if rouge code was bundled up and signed, there is at least a trail to a phone number and address, registered business etc. Which is almost useless but better than nothing.
That's why I say signed code is a veneer, but at least one step better than unsigned. I think signed code protects the Author more than the end user.
It seems a multi pronged approach is what is needed.
1. Signed code 2. List of trusted Authors for secondary validation 3. A proven track record of distributing credible software
If there are layers and safe guards in place it will protect end users just a little more.
So down the road maybe an internal vetting process that works in the browser like this:
Ok, package is signed, now let's check the Author w/ the distribution list of approved Authors. (maybe via https://trusted.mozilla.org)
Signature name checks out, now lets provide the user with some additional information about this author if they wish to see it.
Ok, this author has released extensions A,B,C as well. Here are links to community/peer reviews of this and other software released by this author. This Author is a commercial entity or an individual developer.
I think:
A. Signed Code B. Approved Author list
is a decent start. Maybe eventually making the user jump through hoop's every time they attempt to install unsigned software or just eventually preventing it as suggested by others.
--pete
-- Pete Collins - Founder, Mozdev Group Inc. www.mozdevgroup.com Mozilla Software Development Solutions
_______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto
