[167] in WWW Security List Archive
Re: what are realistic threats?
daemon@ATHENA.MIT.EDU (Andras Salamon)
Fri Sep 30 17:24:00 1994
Date: Fri, 30 Sep 1994 16:40:38 +0200 (GMT)
From: Andras Salamon <andras@is.co.za>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: hallam@dxal18.cern.ch, www-security@ns1.rutgers.edu
In-Reply-To: <94Sep29.094804pdt.2760@golden.parc.xerox.com>
Reply-To: Andras Salamon <andras@is.co.za>
On Thu, 29 Sep 1994, Larry Masinter wrote:
> >>OK. What about trojan horses in
>
> > This is why I think we need a standalone certificate scheme. The
> > program may reside on any server but has a certificate signed by the
> > producer. Although single rooted authentication hierarchies have
> > problems most people would trust the signature if signed by USGovt,
> > MIT, W3O, AMEX and Peter Wright.
>
> But what are they signing?
They are signing that the software is in the same condition as when the
author released it. This won't buy anything against trojans in the
release (for instance wu-ftpd) but will buy some assurance that the
information hasn't been tampered with or corrupted.
> I expect every piece of freeware I get to come with an explicit
> disclaimer that the software comes AS IS and that there are no
Let's work towards some assurance that the software is actually AS IS.
Andr\'as Salamon andras@is.co.za
