On Fri, Dec 9, 2011 at 5:28 PM, Nico Williams <n...@cryptonector.com> wrote: > On Fri, Dec 9, 2011 at 4:08 PM, Steven Bellovin <s...@cs.columbia.edu> wrote: >> On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote: >>> If it were hard to get signing certs, then we as a community of developers >>> would demonize the practice as having to get a license to code. >>> >> Peter is talking about stolen certs, which for most parts of the development >> community aren't a prerequisite... But there's an interesting dilemma here >> if we insist on all code being signed. >> >> Assume that a code-signing cert costs {$,€,£,zorkmid}10000/year. Everyone >> but >> large companies would scream. Now assume the cost is {$,€,£,zorkmid}.01/year >> or even free. At that price, it's a nuisance factor, and would be issued via >> a simple web interface. Simple web interfaces are scriptable (and we all >> know >> the limits of captchas), which means that malware could include a "get a >> cert" >> routine for the next, mutated generation of itself. In fact, they're largely >> price-insensitive, since they'd be programmed with a stash of stolen credit >> cards.... > > This strengthens the argument for digital signatures as a means of > providing upgrade continuity and related application grouping / > isolation, as in the Android model. No need for a PKI then, no need > to pay for certificates. Android also make the application a security principal for resource sharing (its a smarter walled garden approach). Its an awesome approach, especially when compared to Windows and *nix where sharing is generally based upon a login context and enforced through DACLs.
> In the Android model it shouldn't matter that malware might be signed. > What should matter is that malware should not be able to gain control > of the device or other user/app data on that device, Right. > that the user not even get a chance to install said malware, not > because the malware's signatures don't chain up to a trusted CA but > because the "app store" doesn't publish it and the user uses only > trusted app stores. Neither of the last two is easy to ensure though It never hurts to wish. Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography