On Fri, Dec 9, 2011 at 5:28 PM, Nico Williams <n...@cryptonector.com> wrote:
> On Fri, Dec 9, 2011 at 4:08 PM, Steven Bellovin <s...@cs.columbia.edu> wrote:
>> On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote:
>>> If it were hard to get signing certs, then we as a community of developers
>>> would demonize the practice as having to get a license to code.
>>>
>> Peter is talking about stolen certs, which for most parts of the development
>> community aren't a prerequisite... But there's an interesting dilemma here
>> if we insist on all code being signed.
>>
>> Assume that a code-signing cert costs {$,€,£,zorkmid}10000/year. Everyone
>> but
>> large companies would scream. Now assume the cost is {$,€,£,zorkmid}.01/year
>> or even free. At that price, it's a nuisance factor, and would be issued via
>> a simple web interface. Simple web interfaces are scriptable (and we all
>> know
>> the limits of captchas), which means that malware could include a "get a
>> cert"
>> routine for the next, mutated generation of itself. In fact, they're largely
>> price-insensitive, since they'd be programmed with a stash of stolen credit
>> cards....
>
> This strengthens the argument for digital signatures as a means of
> providing upgrade continuity and related application grouping /
> isolation, as in the Android model. No need for a PKI then, no need
> to pay for certificates.
Android also make the application a security principal for resource
sharing (its a smarter walled garden approach). Its an awesome
approach, especially when compared to Windows and *nix where sharing
is generally based upon a login context and enforced through DACLs.
> In the Android model it shouldn't matter that malware might be signed.
> What should matter is that malware should not be able to gain control
> of the device or other user/app data on that device,
Right.
> that the user not even get a chance to install said malware, not
> because the malware's signatures don't chain up to a trusted CA but
> because the "app store" doesn't publish it and the user uses only
> trusted app stores. Neither of the last two is easy to ensure though
It never hurts to wish.
Jeff
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
