[163] in WWW Security List Archive
Re: what are realistic threats?
daemon@ATHENA.MIT.EDU (Nick Szabo)
Fri Sep 30 06:16:36 1994
From: szabo@netcom.com (Nick Szabo)
To: masinter@parc.xerox.com
Date: Thu, 29 Sep 1994 21:25:11 -0700 (PDT)
Cc: hallam@dxal18.cern.ch, www-security@ns1.rutgers.edu
In-Reply-To: <94Sep29.094804pdt.2760@golden.parc.xerox.com> from "Larry Masinter" at Sep 29, 94 09:47:55 am
Reply-To: szabo@netcom.com (Nick Szabo)
> But what are they signing?
Indeed, some of these "certification" schemes are quite silly --
they simply rely on the assumption that we're supposed to be
impressed. They are, quite literally, a lot of noise signifying
nothing.
As far as software distribution goes, by far the best guarantee
that it hasn't been tampered with is the digital signatures of the
authors themselves. A signature by someone who hasn't closely
examined the code is quite a piece of lunacy, but I bet there will be
plenty of suckers out there who will be impressed by some particular
well-hyped chop.
Nick Szabo szabo@netcom.com
