Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

[Valdis.Kletnieks () vt edu]

On Thu, 30 Oct 2003 10:55:01 +1300, Nick FitzGerald <nick () virus-l demon co uk>  said:

> amount of "trust" a truly good CA can add to the equation, or that MS 
> did not understand (or, more likely, was unprepared for marketing 
> reasons to admit) that Authenticode is really just a sham adding 
> nothing of significant value to the security of mobile code.

I've made variants of the following description of the distinction between
authentication and authorization:

Authentication:  Yes, your drivers license says you're Jeffrey Dahlmer.
Authorization:   You say you'd like to borrow a steak knife?

I remember that I originally made that analogy during an e-mail exchange with
Michael Howard (of "Writing Secure Code" fame).  Unfortunately, I can't quote
an exact date for it, but it was certainly before mid-1999.  It was apparent to
me at the time that at least Michael understood the distinction quite well, but
that the Official Party Line said otherwise even then.

I seem to recall that at the time, we both still had an underlying assumption
that the CAs for the PKI were both competent and honest.  Looking back at it
from 5 years later, that does seem somewhat naive....

Attachment: _bin
Description: