RE: Code signing and Java Web Start

["Dave Paris" <dparis () w3works com>]

Some potentially useful analogies...

a) Would you trust a random person off the street to make your _cash_ bank
deposit for you?
b) Would you be willing to warranty your neighbor's car?
c) States make you prove (in a plentora of ways) you are who you say you are
and that you know how to drive before handing you a driver's licence.
d) Would you be willing to sign off on a Sarbanes-Oxley audit without
actually *doing* the audit?
e) Would you be willing to give an alabi, in court, if you were _not_
actually with the accused at the time in question?

It's about knowledge and trust.  If you aren't 100% sure of the code and you
don't haven't performed a full & rigorous audit of the code, then you don't
have full knowledge of what you're signing nor do you have trust of what
you're signing.  Yet you're telling the users of that signed 3rd party code
that you *do* know and trust the code.

On the other hand, if by signing the code all you're intending to say is
that "yes, this code did come from So-and-so", then hey .. sign away if they
handed you the code directly.  If you just downloaded the code, you have no
way of telling if the code has been trojaned or if it's even the *actual*
code you're looking for!

Kind Regards,
-dsp

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of Mona Wong-Barnum
> Sent: Wednesday, February 25, 2004 6:26 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: [SC-L] Code signing and Java Web Start
>
>
> Hi:
>
>       I am asking for opinions on the issue of code signing and Java Web
> Start.
>
>       We are about to have a meeting on this issue and I need
> some ammunition
> on why we should NOT be signing other people's code which we use
> in our Java
> applications that we serve out of Java Web Start.  I know that
> signing coding
> from unknown sources is very bad...but I think I need some
> "proof" or info that
> will help the managers understand the implication of this in term
> of reliability
> and responsibility.  It is my responsibility to educate my
> managers so that they
> can make the best possible choice; the rest is then out of my hands.
>
>       All help will be greatly appreciated!
>
> thanks,
> Mona
>
> ==================================================================
>   Mona Wong-Barnum
>   National Center for Microscopy and Imaging Research
>   University of California, San Diego
>   http://ncmir.ucsd.edu/
>
>   "If you don't have time to do it right, will you have time
>   to do it over?"
>                            -- unknown
> ==================================================================