On Thu, 30 Oct 2003 10:55:01 +1300, Nick FitzGerald <nick@virus-l.demon.co.uk> said: > amount of "trust" a truly good CA can add to the equation, or that MS > did not understand (or, more likely, was unprepared for marketing > reasons to admit) that Authenticode is really just a sham adding > nothing of significant value to the security of mobile code. I've made variants of the following description of the distinction between authentication and authorization: Authentication: Yes, your drivers license says you're Jeffrey Dahlmer. Authorization: You say you'd like to borrow a steak knife? I remember that I originally made that analogy during an e-mail exchange with Michael Howard (of "Writing Secure Code" fame). Unfortunately, I can't quote an exact date for it, but it was certainly before mid-1999. It was apparent to me at the time that at least Michael understood the distinction quite well, but that the Official Party Line said otherwise even then. I seem to recall that at the time, we both still had an underlying assumption that the CAs for the PKI were both competent and honest. Looking back at it from 5 years later, that does seem somewhat naive....
Attachment:
pgp00136.pgp
Description: PGP signature