[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Announcing Bellcore's Trusted Software Integrity (Betsi) System
Brad Huntting writes:
> Many Mac viruses that I've seen come straight from Microsoft neatly
> sealed in plastic on brand new disks. If they signed them it would
> not increase my confidence one iota.
How would getting Betsi to sign them increase your confidence? Betsi
doesn't seem to claim to do any testing of the software, they just
verify that it was really Bill Gates' company (in this example) that
shipped the Microsoft product. BFD -- they can buy their own ViaCrypt
PGP.
I think people are missing my point: that having a third party sign
your software without any testing (Betsi is free, after all) adds
*nothing* except for a human-to-name mapping, and increases the
risk of the signature being compromised.
Now, there probably is a market for somebody who tests the software
first and then certifies it -- in fact, that will probably be a big
business in the future, one I can easily see someone like Cygnus getting
into. But that's not what Betsi claims to do, and I certainly don't
want to contemplate the legal issues (do you get your ass sued off when
you're wrong? Almost certainly) involved with anybody trying to do that.
--
L. Todd Masco | "Which part of 'shall not be infringed' didn't
[email protected] | you understand?"