Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

[George Capehart <capegeo () opengroup org>]

On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote:

<snip>

> Authenticode is useless as a means of ensuring code is trustworthy
> _independent_ of such an effort from the CAs.  _All_ Authenticode
> tells you is that someone was prepared to part with some cash and
> they found a CA they convinced that they were who they said they
> were.

This is why the CA's Certification Practice Statement (CPS) is so 
important . . . and why, if one is going to accept a certificate, they 
*really* should read the CPS and understand exactly what process the CA 
went through to determine the authenticity of the DN.  *Then* you 
should read the audit reports to see if the CA is really following the 
CPS.  If that information is not available publicly available, he/she 
who accepts those certs deserves what he/she gets.


  In theory (at least if you trust the CA -- which I doubt few
> possibly could in Verisign's case once it issued code-signing certs
> under Microsoft's name to non-MS folk despite supposedly having extra
> special checking mechanisms for such a large and obviously
> "important" client),

See above.

 an Authenticode "all clear" means that if you
> were stupid enough to "trust" (in the big sense) a piece of signed
> code the CA can help you locate the rat-bag who signed it should you
> want to fry their balls...

See above again.  That is true IFF the RA did it's job.

> Anyone who ever thought Authenticode ever bought them more than that
> was seriously delusional and obviously did not understand the basics
> of code-signing as a "trust mechanism" (because it isn't one despite
> what MS wants you to believe).  This is all part of why Authenitcode
> and ActiveX were always such fundamentally bad things and why the
> decision to take this route showed MS lacked even the most basic
> grasp of the fundamentals of security and trust.  That Autheticode
> has been "sold" (and worse, accepted by some) as anything else but a
> poor-man's excuse for "nothing much" is somewhere between really sad
> and criminal...

I think "nothing much" is being pretty generous . . . :->

Cheers,

/g
-- 
George Capehart

capegeo at opengroup dot org

PGP Key ID: 0x63F0F642 available on most public key servers

"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea."  -- RFC 1925

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html