ietf
[Top] [All Lists]

Re: value of standards

2000-05-04 18:30:02
] ...
]        You could have senders sign any executables. That might help a 
] little,  as long as the sender's machine hasn't been compromised.
]  
] this would also help, but we'd need a better way to verify the sender's 
] signature than we have now.

It wouldn't help much, unless you are of the religion that believes
authentication implies authorization.  Or don't you think that
today's evil doer could have managed to get the latest virus signed
with some company's key?  

why in the world would I trust some random company's key?

now, if a "trusted friend" sent me a signed executable -
I as a person might decide that I'm willing to run the executable.

note that there are at least two kinds of trust here -

1. I have to be able to verify my friend's signature against a public
key which is either known to be valid because I've verified it personally,
or because it is signed by someone else that I trust (*maybe* a commercial 
CA, definitely *not* a random company)

2. I also have to trust my friend
a) not to be malicious 
b) to take reasonable steps to safeguard his system from compromise
   (including not running executables from unknown sources)
c) to take reasonable steps to safeguard his private key
   (which is not quite the same thing as b).

note that it takes a nontrivial user interface to communicate this to
a recipient of email:  e.g.

  NOTE: this message was signed by someone purporting to be 
  Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>.  The signature is validated
  by a certificate from Fly-By-Night Certificate Authority, Inc.
  Fly-By-Night's certificate verifies correctly according to
  another certificate from FemtoSoft corporation that was supplied
  with your email reader, but you have not personally placed trust 
  in FemtoSoft.

  Therefore the authenticity of the claimed sender cannot be verified.

and yet this is basically what it takes to do the job.

there's no way you should ever just "click" on an arbitrary 
attachment regardless of content, expect that content to 
be evaluated, and still expect it to not cause harm.

Keith



<Prev in Thread] Current Thread [Next in Thread>