Some potentially useful analogies... a) Would you trust a random person off the street to make your _cash_ bank deposit for you? b) Would you be willing to warranty your neighbor's car? c) States make you prove (in a plentora of ways) you are who you say you are and that you know how to drive before handing you a driver's licence. d) Would you be willing to sign off on a Sarbanes-Oxley audit without actually *doing* the audit? e) Would you be willing to give an alabi, in court, if you were _not_ actually with the accused at the time in question?
It's about knowledge and trust. If you aren't 100% sure of the code and you don't haven't performed a full & rigorous audit of the code, then you don't have full knowledge of what you're signing nor do you have trust of what you're signing. Yet you're telling the users of that signed 3rd party code that you *do* know and trust the code. On the other hand, if by signing the code all you're intending to say is that "yes, this code did come from So-and-so", then hey .. sign away if they handed you the code directly. If you just downloaded the code, you have no way of telling if the code has been trojaned or if it's even the *actual* code you're looking for! Kind Regards, -dsp > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Mona Wong-Barnum > Sent: Wednesday, February 25, 2004 6:26 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [SC-L] Code signing and Java Web Start > > > Hi: > > I am asking for opinions on the issue of code signing and Java Web > Start. > > We are about to have a meeting on this issue and I need > some ammunition > on why we should NOT be signing other people's code which we use > in our Java > applications that we serve out of Java Web Start. I know that > signing coding > from unknown sources is very bad...but I think I need some > "proof" or info that > will help the managers understand the implication of this in term > of reliability > and responsibility. It is my responsibility to educate my > managers so that they > can make the best possible choice; the rest is then out of my hands. > > All help will be greatly appreciated! > > thanks, > Mona > > ================================================================== > Mona Wong-Barnum > National Center for Microscopy and Imaging Research > University of California, San Diego > http://ncmir.ucsd.edu/ > > "If you don't have time to do it right, will you have time > to do it over?" > -- unknown > ================================================================== > > > >
