| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200310300349.h9U3nx9X009384@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: [Bogus] Microsoft AuthenticodeT webcam viewer plugin On Thu, 30 Oct 2003 10:55:01 +1300, Nick FitzGerald <nick@...us-l.demon.co.uk> said: > amount of "trust" a truly good CA can add to the equation, or that MS > did not understand (or, more likely, was unprepared for marketing > reasons to admit) that Authenticode is really just a sham adding > nothing of significant value to the security of mobile code. I've made variants of the following description of the distinction between authentication and authorization: Authentication: Yes, your drivers license says you're Jeffrey Dahlmer. Authorization: You say you'd like to borrow a steak knife? I remember that I originally made that analogy during an e-mail exchange with Michael Howard (of "Writing Secure Code" fame). Unfortunately, I can't quote an exact date for it, but it was certainly before mid-1999. It was apparent to me at the time that at least Michael understood the distinction quite well, but that the Official Party Line said otherwise even then. I seem to recall that at the time, we both still had an underlying assumption that the CAs for the PKI were both competent and honest. Looking back at it from 5 years later, that does seem somewhat naive.... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031029/32b2337d/attachment.bin
Powered by blists - more mailing lists