On 2011-12-07 16:31, Jon Callas wrote:
There are many things about code signing that I don't think I understand.
same here.
But I do understand something about the code creation, dissemination
and the trust between code creator and code user ("primary parties"),
and the role of the operating system vendor (a "tertiary party") as
an intermediary between the code creator and the code user.
With that said, I propose that "code signing" and then enforcing some
kind of "use sanctioning" protocol by the operating system vendor is
an idiotic idea, and fortunately one that has been proven as completely
impractical and ill-aligned with the interest of the two primary
parties, and thus continually rejected in practice.
What should be "signed" and "tusted" (or not trusted) is not the code,
but the channel by which the code is distributed.
Mark R.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
