From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_10AE_01C6D2C2.6A3F0080
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   No.  You look at the signing certificate to see if you trust both the =
signing party and the certification path.  If you do not, do not trust =
the signed entity.  If something is not signed, you don't have even this =
option.  How do you choose what to trust?

   The average Joe relies on the identity of the signing party alone and =
assumes that the certification authorities that are not distrusted have =
been vetted.

   In practice, have you ever known this to be a problem with signed =
code?  How much actual malware do you hear of that is signed?  I can't =
think of any that wasn't some PR stunt by someone that signed a demo =
which he released under his own name anyway.

Rich

  "Antti Kurenniemi"  wrote
in message =
news:450054c1{at}w3.nls.net...

  The concept of "signed" executables / activex / whatnot makes me want =
to=20
  slap someone every time I see it mentioned. Yeah, sure, it's signed - =
now=20
  what? Should I visit Redmond to ask someone if they really signed =
this, or=20
  if this is just a trick - a message box saying this executable is =
signed?=20
  The rate at which these new "improvements" keep popping up is such =
that no=20
  average Joe can ever really know if he's being fooled or if it really =
is=20
  legit...


  Antti Kurenniemi


------=_NextPart_000_10AE_01C6D2C2.6A3F0080
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








  
No.  You look at the =
signing=20
certificate to see if you trust both the signing party and the = certification=20
path.  If you do not, do not trust the signed entity.  If
= something is=20
not signed, you don't have even this option.  How do you choose = what to=20
trust?
 
   The
average Joe relies on =
the identity=20
of the signing party alone and assumes that the certification = authorities that=20
are not distrusted have been vetted.
 
   In
practice, have you ever =
known this=20
to be a problem with signed code?  How much actual malware do you
= hear of=20
that is signed?  I can't think of any that wasn't some PR stunt by
= someone=20
that signed a demo which he released under his own name =
anyway.
 
Rich
 

  "Antti Kurenniemi" <NOantti{at}SPAManttikPLEASE.com=">mailto:NOantti{at}SPAManttikPLEASE.com">NOantti{at}SPAManttikPLEASE.com=
>=20
  wrote in message news:450054c1{at}w3.nls.net...The=20
  concept of "signed" executables / activex / whatnot makes me want to =
slap=20
  someone every time I see it mentioned. Yeah, sure, it's signed - now =
what?=20
  Should I visit Redmond to ask someone if they really signed this, or =
if=20
  this is just a trick - a message box saying this executable is signed? =
The=20
  rate at which these new "improvements" keep popping up is such that no =

  average Joe can ever really know if he's being fooled or if it =
really is=20
  legit...Antti =
Kurenniemi

------=_NextPart_000_10AE_01C6D2C2.6A3F0080--

--- BBBS/NT v4.01 Flag-5