On Thu, May 04, 2000 at 05:24:35PM -0600, Vernon Schryver wrote:
> ] From: Keith Moore <[EMAIL PROTECTED]>
>
> ] ...
> ] You could have senders sign any executables. That might help a little,
> ] > as long as the sender's machine hasn't been compromised.
> ]
> ] this would also help, but we'd need a better way to verify the sender's
> ] signature than we have now.
>
> It wouldn't help much, unless you are of the religion that believes
> authentication implies authorization. Or don't you think that
> today's evil doer could have managed to get the latest virus signed
> with some company's key? My bet is that many among those websites
> that are defaced have handy dandy files of ASCII encoded binary
> around near the anonymously improved HTML.
> .......
The point was that an attachment could be signed by the _message
sender_, not the originator of the file. So any executables you send to your
friends would be signed by _you_. Of course, if _your_ machine has been
compromised then your signature is probably no longer valid and the system
breaks.
Your friends would thereby give you the authority to run executables
on their system (with their manual assent, of course) assuming your executable
was properly authenticated as having come from you.
Austin
