On Thu, May 04, 2000 at 05:24:35PM -0600, Vernon Schryver wrote:
] From: Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>
] You could have senders sign any executables. That might help a
] > as long as the sender's machine hasn't been compromised.
] this would also help, but we'd need a better way to verify the sender's
] signature than we have now.
It wouldn't help much, unless you are of the religion that believes
authentication implies authorization. Or don't you think that
today's evil doer could have managed to get the latest virus signed
with some company's key? My bet is that many among those websites
that are defaced have handy dandy files of ASCII encoded binary
around near the anonymously improved HTML.
The point was that an attachment could be signed by the _message
sender_, not the originator of the file. So any executables you send to your
friends would be signed by _you_. Of course, if _your_ machine has been
compromised then your signature is probably no longer valid and the system
Your friends would thereby give you the authority to run executables
on their system (with their manual assent, of course) assuming your executable
was properly authenticated as having come from you.