Interesting People mailing list archives
more on How a Digital Signature Works
From: David Farber <dave () farber net>
Date: Tue, 10 Aug 2004 22:56:44 -0400
Begin forwarded message: From: Brad Templeton <btm () templetons com> Date: August 10, 2004 9:49:37 PM EDT To: David Farber <dave () farber net> Cc: rah () shipwright com Subject: Re: [IP] How a Digital Signature Works
A technology called public key cryptography makes it possible for you to make sure that the publisher of any piece of software that claims to befrom Microsoft (MSFT ) or any other publisher really came from there. It
Strictly speaking, a digital signature demonstrates that the document came from somebody who had access to the private key matching the public key store in your certificate. It's used to show the software came from Microsoft, but it can also mean: a) The signing algorithm is weak b) The key was not kept securely at Microsoft. For example, it was used on computers running just about any version of Microsoft Windows. c) The people with access to the key were compromised, got angry or took a bribe. d) The certificate was faked because the certificate authority issued a certificate to some guys who claimed they were from Microsoft, without really checking they were from Microsoft. (This really happened a few years ago.) e) An earlier virus on your computer rewrote your certificates to make you trust other keys and certifiers to say it's from Microsoft. f) The software really is from Microsoft, but when they were developing it, they did so on an insecure operating system, such as Microsoft Windows, and a trojan snuck into it.(This also really happened, and a CD was distributed with a virus)
Now don't get me wrong, signing stuff is better than not signing it. But it doesn't "make sure." It just improves things. Lots of things can go wrong and more to the point have gone wrong. ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on How a Digital Signature Works David Farber (Aug 10)