Secure Coding mailing list archives
RE: Code signing and Java Web Start
From: "Dave Paris" <dparis () w3works com>
Date: Thu, 26 Feb 2004 14:23:14 +0000
Some potentially useful analogies... a) Would you trust a random person off the street to make your _cash_ bank deposit for you? b) Would you be willing to warranty your neighbor's car? c) States make you prove (in a plentora of ways) you are who you say you are and that you know how to drive before handing you a driver's licence. d) Would you be willing to sign off on a Sarbanes-Oxley audit without actually *doing* the audit? e) Would you be willing to give an alabi, in court, if you were _not_ actually with the accused at the time in question? It's about knowledge and trust. If you aren't 100% sure of the code and you don't haven't performed a full & rigorous audit of the code, then you don't have full knowledge of what you're signing nor do you have trust of what you're signing. Yet you're telling the users of that signed 3rd party code that you *do* know and trust the code. On the other hand, if by signing the code all you're intending to say is that "yes, this code did come from So-and-so", then hey .. sign away if they handed you the code directly. If you just downloaded the code, you have no way of telling if the code has been trojaned or if it's even the *actual* code you're looking for! Kind Regards, -dsp
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mona Wong-Barnum Sent: Wednesday, February 25, 2004 6:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [SC-L] Code signing and Java Web Start Hi: I am asking for opinions on the issue of code signing and Java Web Start. We are about to have a meeting on this issue and I need some ammunition on why we should NOT be signing other people's code which we use in our Java applications that we serve out of Java Web Start. I know that signing coding from unknown sources is very bad...but I think I need some "proof" or info that will help the managers understand the implication of this in term of reliability and responsibility. It is my responsibility to educate my managers so that they can make the best possible choice; the rest is then out of my hands. All help will be greatly appreciated! thanks, Mona ================================================================== Mona Wong-Barnum National Center for Microscopy and Imaging Research University of California, San Diego http://ncmir.ucsd.edu/ "If you don't have time to do it right, will you have time to do it over?" -- unknown ==================================================================
Current thread:
- Code signing and Java Web Start Mona Wong-Barnum (Feb 25)
- RE: Code signing and Java Web Start Dave Paris (Feb 26)
- <Possible follow-ups>
- RE: Code signing and Java Web Start Gary McGraw (Feb 26)
- Re: Code signing and Java Web Start Kenneth R. van Wyk (Feb 26)