Code Signing ???

[Saqib Ali <docbook.xml () gmail com>]

I am a regular reader of Bruce Schneier's Blog, Articles, and Books,
and I really like what he writes. However I recently read his book
titled "Secret and Lies" and I think he has done some in-justice to
the security provided by the "Code Signing".

On page 163 of his books, he (Bruce Schneier) basically states that
"Code signing, as it is currently done, sucks".

Even though I think that Code Signing has its flaws, it does provide a
fairly good mechanism for increasing security in an organization.

The following are the reasons that he (Bruce Schneier) gives:

Bruce's Argument #1) Users have no idea how to decide if a particular
signer is trusted or not.

My comments: True. However in an organization is the job of the
IT/security dept to make that determination. It shouldn't be left up
to users. The IT dept should know not to trust "Snake Oil Corp.",
however anything from "Citrix Corp" should be fairly safe. Moreover
Windows XP SP2 provides provides a mechanism to create a Whitelist of
certain trusted signers, and reject everything else. This is a very
powerful security mechanism, and greatly increase the security in a
corporate environment, if the workstations are properly configured.
Having said that, this feature may not be that useful for home user,
who can not tell the difference between Snake Oil and Citrix Corp.

Bruce's Argument #2) Just because a component is signed doesn't mean
that it is safe.

My Comments: I fully agree with this. However Code Signing was never
intended for this purpose. Code signing was design to prove the
authenticity and integrity of the code. It was never designed to
certify that the piece is also securely written.

Bruce's Argument #3)  Just because two component are individually
signed does not mean that using them together is safe; lots of
accidental harmful interactions can be exploited.

My comment: Again Code Signing was was never designed to accomplish this.

Bruce's Argument #4) "safe" is not all-or-nothing thing; there are
degrees of safety.

My comment: I agree with this statement.

Bruce's Argument #5) The fact that the evidence of attack (the
signature on the code) is stored on the computer under attack is
mostly useless: The attack could delete or modify the signature during
the attack, or simple reformat the drive where the signature is
stored.

My comments: I am not sure what this statement mean. I think this type
of attack is outside the realm of Code Signing.

I would really appreciate any comments / thoughts / feedback on the
above mentioned Bruce's arguments and my commentary. I am planning to
give a short talk about benefits of code signing, so any feedback will
really help me.
 

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.