Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on How a Digital Signature Works

From: David Farber <dave () farber net>
Date: Tue, 10 Aug 2004 22:56:44 -0400


Begin forwarded message:

From: Brad Templeton <btm () templetons com>
Date: August 10, 2004 9:49:37 PM EDT
To: David Farber <dave () farber net>
Cc: rah () shipwright com
Subject: Re: [IP] How a Digital Signature Works


 A technology called public key cryptography makes it possible for you
to
make sure that the publisher of any piece of software that claims to be
from Microsoft (MSFT ) or any other publisher really came from there. It 


Strictly speaking, a digital signature demonstrates that the document
came from somebody who had access to the private key matching the
public key store in your certificate.

It's used to show the software came from Microsoft, but it can also
mean:
    a) The signing algorithm is weak
    b) The key was not kept securely at Microsoft.   For example, it
       was used on computers running just about any version of
       Microsoft Windows.
    c) The people with access to the key were compromised, got angry
       or took a bribe.
    d) The certificate was faked because the certificate authority
       issued a certificate to some guys who claimed they were from
       Microsoft, without really checking they were from Microsoft.
       (This really happened a few years ago.)
    e) An earlier virus on your computer rewrote your certificates
       to make you trust other keys and certifiers to say it's from
       Microsoft.
    f) The software really is from Microsoft, but when they were
       developing it, they did so on an insecure operating system,
       such as Microsoft Windows, and a trojan snuck into it.
(This also really happened, and a CD was distributed with a virus) 


Now don't get me wrong, signing stuff is better than not signing it.
But it doesn't "make sure."  It just improves things.  Lots of things
can go wrong and more to the point have gone wrong.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: