[145623] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Aug 5 11:45:53 2010
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cryptography@metzdowd.com, david-sarah@jacaranda.org
In-Reply-To: <4C5A142A.1090607@jacaranda.org>
Date: Thu, 05 Aug 2010 17:37:54 +1200
David-Sarah Hopwood <david-sarah@jacaranda.org> writes:
>Huh? I don't understand the argument being made here.
It's a bogus argument, the text says:
He took a legitimate software package and removed the signature of the
digital certificate it contained, then installed the package on his
computer. The Installer application didn't indicate that the certificate had
been modified.
The certificate wasn't modified, they just stripped the signature from the
executable.
"Only an expert will be able to detect a problem," Schouwenberg said. "And
all Microsoft will tell you is that the file is not signed."
And what else should Windows say? "We put this through our time machine and
noticed that at some time in the past it was signed and now it isn't"?
The rest of the story isn't much better:
The Stuxnet worm, which surfaced last month, used fake Verisign digital
certificates
No, they were genuine certs, just in the wrong hands.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
