From: "Geo" 

This is a multi-part message in MIME format.

------=_NextPart_000_008C_01C6D30C.961366C0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

What happens when a vendor you trust does something like oh say loading =
the first half of WGA on your system without your approval? Is there a =
checkbox somewhere that says "never trust the bastards again"?

Kinda hard to remember who you trust and who you don't without a nice =
feature that helps keep track. The only thing the OS offers is to tell =
you who signed it. It doesn't allow you to mark them as untrusted.

Geo.
  "Rich"  wrote in message news:4500ee78$1{at}w3.nls.net...
     No.  You look at the signing certificate to see if you trust both =
the signing party and the certification path.  If you do not, do not =
trust the signed entity.  If something is not signed, you don't have = even
this option.  How do you choose what to trust?

     The average Joe relies on the identity of the signing party alone =
and assumes that the certification authorities that are not distrusted =
have been vetted.

     In practice, have you ever known this to be a problem with signed =
code?  How much actual malware do you hear of that is signed?  I can't =
think of any that wasn't some PR stunt by someone that signed a demo =
which he released under his own name anyway.

  Rich


------=_NextPart_000_008C_01C6D30C.961366C0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








What happens when a vendor you trust =
does something=20
like oh say loading the first half of WGA on your system without = your=20
approval? Is there a checkbox somewhere that says "never trust the = bastards=20
again"?
 
Kinda hard to remember who you trust =
and who you=20
don't without a nice feature that helps keep track. The only thing the = OS offers=20
is to tell you who signed it. It doesn't allow you to mark them as=20
untrusted.
 
Geo.

  "Rich" <{at}> wrote in message news:4500ee78$1{at}w3.nls.net...
    
No.  You look at =
the signing=20
  certificate to see if you trust both the signing party and the =
certification=20
  path.  If you do not, do not trust the signed entity.  If =
something=20
  is not signed, you don't have even this option.  How do you =
choose what=20
  to trust?
   
     The
average Joe relies =
on the=20
  identity of the signing party alone and assumes that the certification =

  authorities that are not distrusted have been vetted.
   
     In
practice, have you =
ever known=20
  this to be a problem with signed code?  How much actual malware =
do you=20
  hear of that is signed?  I can't think of any that wasn't some PR =
stunt=20
  by someone that signed a demo which he released under his own name=20
  anyway.
   
  Rich
   
   

------=_NextPart_000_008C_01C6D30C.961366C0--

--- BBBS/NT v4.01 Flag-5