[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java & signed applets



At 3:02 PM 5/16/96, Lyal Collins wrote:
>Signing anything is somewaht a waste of time, unless the verification
>siftware is highly trusted, and there is good intergity/authenticity
>control of the root public key(s).
>So, in geneal - ho hum - until trusted hardware is available on the
>desktop.

Unless I am misunderstanding your message (terseness has its
disadvantages), this is not really true.

* Checking the signature on a signed applet is a kind of "sanity check" on
the source of the software. It is rather unlikely, I think, that a
malicious agent will corrupt or infect one's verification software so as to
make untrusted applets looks trusted. (Ignoring what "trust" means for
now.)

* To wit, if you (Lyal Collins) run a signature verification applet
downloaded, say, from Sun, and some time has passed and you have heard no
reports that, say, Silicon Graphics broke into Sun and replaced all of
Sun't applets with a malicious version, and if you have checked Sun's
signature against published values (that is, you have used a public key
widely disseminated, and not repudiated), then you can very probably
"trust" this signature-checking procedure.

(One can construct fanciful scenarios in which one's OS has been corrupted,
one's microprocessor has been replaced, etc., but these are clearly fringe
events. All security is economics....)

(Note: I expect at least one person to argue that this is indeed a concern.
Again, look to economics. How do you _really_ know that your "mother" is
really your mother, and not a stranger who entered your life minutes after
your birth? How do you _really_ know that a vending machine of Cokes is not
able to detect your presence and give you a poisoned can of Coke?)

* If one's basic signature-checking hardware and software is not
compromised, signature checking works. If it _is_ compromised, you've got
bigger problems. And no cryptographic system can really handle this issue.

Oh, and I disagree also with the last point: "So, in geneal - ho hum -
until trusted hardware is available on the desktop."

What, for example, is "trusted hardware"? How does a user ever know that
his hardware was not compromised at the chip factory, for example?

(Not that I think this is a reasonable thing to worry about at this point,
given much larger problems all around us, but I mention it to show that one
gets caught in a recursive process in which one can of course never be
absolutely certain of anything. The Solipsist view of things is internally
consistent.)

So, I'll take my chances that applet signing will be a welcome extra level
of protection against malicious applets. Others are free, of course, to
instead worry that their machines are insecure and the signature-checking
software has cleverly been replaced by some agent trying to get them to
download a malicious applet. (Of course, if They can corrupt one's crypto
software, they can do all sorts of other bad things, and probably don't
need to wait for you to download an applet to start doing them.)

--Tim May

Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Licensed Ontologist         | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."