From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
...
The design of the code signing services was to ensure that code
obtained through the web was at least as trustworthy as code bought
in a shrinkwrap box in a store. It was not to eliminate all possible
risks.
...
Requiring that the signature on the new version of the code match the
signature on the original from the shrinkwrap box would be a significant
and radical improvement on the ActiveX model and what I understood Phillip
Hallam-Baker to be proposing. As I understand ActiveX, esssentially any
code signed by any vendor recognized by Microsoft and marked "safe" by
the vendor is allowed free reign to do whatever it wants.
However, I don't see how to allow Vendor X to change only bits that
have been previously signed by Vendor X except with something that
sounds like special case of "sandbox."
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
P.S. I would like to apologize to the list about my previous message.
I didn't realize I was replying to a message from the list until
after I'd hit the switch.
P.P.S. "Fraud" is too strong for ActiveX if you cannot conceive of
any network except a centrally controlled corporate net where there
are are very few naive over-the-wire security threats and where
whatever the central controllers want to do to other systems is
kosher. I'm sure I'm not the only one who has asked/warned users
equuivalents of "this virus will aid the maintenance of your system"
before Microsoft had heard of IP or thought of ActiveX or auto-update.
Hooks to add and remove cron scripts and other things can ease a lot
of transitions and deployment hassles. Outside controlled corporate
networks such things are worse than frauds.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg