Full Disclosure mailing list archives
Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin
From: George Capehart <capegeo () opengroup org>
Date: Wed, 29 Oct 2003 18:55:16 -0500
On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote: <snip>
Authenticode is useless as a means of ensuring code is trustworthy _independent_ of such an effort from the CAs. _All_ Authenticode tells you is that someone was prepared to part with some cash and they found a CA they convinced that they were who they said they were.
This is why the CA's Certification Practice Statement (CPS) is so important . . . and why, if one is going to accept a certificate, they *really* should read the CPS and understand exactly what process the CA went through to determine the authenticity of the DN. *Then* you should read the audit reports to see if the CA is really following the CPS. If that information is not available publicly available, he/she who accepts those certs deserves what he/she gets. In theory (at least if you trust the CA -- which I doubt few
possibly could in Verisign's case once it issued code-signing certs under Microsoft's name to non-MS folk despite supposedly having extra special checking mechanisms for such a large and obviously "important" client),
See above. an Authenticode "all clear" means that if you
were stupid enough to "trust" (in the big sense) a piece of signed code the CA can help you locate the rat-bag who signed it should you want to fry their balls...
See above again. That is true IFF the RA did it's job.
Anyone who ever thought Authenticode ever bought them more than that was seriously delusional and obviously did not understand the basics of code-signing as a "trust mechanism" (because it isn't one despite what MS wants you to believe). This is all part of why Authenitcode and ActiveX were always such fundamentally bad things and why the decision to take this route showed MS lacked even the most basic grasp of the fundamentals of security and trust. That Autheticode has been "sold" (and worse, accepted by some) as anything else but a poor-man's excuse for "nothing much" is somewhere between really sad and criminal...
I think "nothing much" is being pretty generous . . . :-> Cheers, /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Bogus] Microsoft AuthenticodeT webcam viewer plugin morning_wood (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin George Capehart (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- <Possible follow-ups>
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)