Full Disclosure mailing list archives
Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin
From: Valdis.Kletnieks () vt edu
Date: Wed, 29 Oct 2003 22:49:59 -0500
On Thu, 30 Oct 2003 10:55:01 +1300, Nick FitzGerald <nick () virus-l demon co uk> said:
amount of "trust" a truly good CA can add to the equation, or that MS did not understand (or, more likely, was unprepared for marketing reasons to admit) that Authenticode is really just a sham adding nothing of significant value to the security of mobile code.
I've made variants of the following description of the distinction between authentication and authorization: Authentication: Yes, your drivers license says you're Jeffrey Dahlmer. Authorization: You say you'd like to borrow a steak knife? I remember that I originally made that analogy during an e-mail exchange with Michael Howard (of "Writing Secure Code" fame). Unfortunately, I can't quote an exact date for it, but it was certainly before mid-1999. It was apparent to me at the time that at least Michael understood the distinction quite well, but that the Official Party Line said otherwise even then. I seem to recall that at the time, we both still had an underlying assumption that the CAs for the PKI were both competent and honest. Looking back at it from 5 years later, that does seem somewhat naive....
Attachment:
_bin
Description:
Current thread:
- [Bogus] Microsoft AuthenticodeT webcam viewer plugin morning_wood (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin George Capehart (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- <Possible follow-ups>
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)