Hi there,
On Tue, 16 Nov 1999, Rene G. Eberhard wrote:
> You'll never have a guarantee that a software (browser) hasn't been
> compromised. It's impossible to protect software with software.
Only in the same theoretical sense that it is impossible to trust
certificates signed by other certificates. This is true unless you can
satisfactorily trace the chain of signatures back to something you *know*
to be valid (or can assume on blind faith - but that's another matter).
Signed java jar-files, and authenticode signatures are an attempt to map
this software-protected-software problem over to the
certificate-signed-certificates problem which is believed to be a "solved
problem". You can debate the merits of those particular attempts (jars and
cabs etc) for hours but in theory I don't see that it's impossible at all.
Cheers,
ME
----------------------------------------------------------------------
Geoff Thorpe Email: [EMAIL PROTECTED]
Cryptographic Software Engineer, C2Net Europe http://www.int.c2.net
----------------------------------------------------------------------
May I just take this opportunity to say that of all the people I have
EVER emailed, you are definitely one of them.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
