Hi Jean Marc, Jean-Marc Desperrier wrote: > > How effective has this approach been until now to block spam and spyware > ? Errrr...how many times did you encounter and installed signed spyware and adware on your computer? I guess close to zero! Would all software one installs be singed by a verifiable certificate, this wouldn't be an issue altogether. Instead users are trained to click through the various pop-ups and warnings when installing something on their computer... > Is it really that difficult to identify those responsible for it, > especially in the case of spamware, If everybody would use S/MIME signatures and refuse any non-signed mail, it would improve the spam problem a lot. Additionally mail server could work in TLS mode only to further reduce this problem. > do you really think it's much harder > to escape reliability after buying a signing certificate than to escape > it when operating a large scale spam platform ? Yes! First of all it would make casual users aware of certificates, second you could trace such attempts much easier. Remember, the crooks go the easiest way always... > How hard and how long > will it be to convince a judge take the right decision between one > side's "spyware" and the other's "innovative marketing technic" ? > That would be an interesting question indeed, but at least you know to whom you are talking to. I assume that code signing is only issued after reasonable verification (at least). >> So it seems that you are suggesting that we should issue code-signing >> certificates to anyone who wants them, and use revocation to pull out >> the bad actors? >> > > In short yes. Just that it's not to anyone who wants them, you have the > final say to who gets them, and if you experimentally find out you have > to be very restrictive to avoid a bad experience for your users, then > you'll just do that. > That's about they same (failed) approach of blacklisting mail servers, phishing web sites etc... > > And in this case, the > seriousness of the CAs and the effectiveness of the legal threat are > your only lines of defense. > But perhaps the best one? What if YOU failed to detect a serious problem in the code and YOU issued a certificate for that application? You'll be liable under certain circumstances for damage! Remember you suggest to review the code, not verify the identity! > Of course you can also choose to make deals to only accept a few > selected commercials CA for which a highly effective revocation channel > will be in place (in addition to a high quality identity review process, > and only accepting requests from selected countries where the legal > threat will be effective). Which perhaps will shut out most developers, specially the latest condition of "selected" countries...not speaking about costs even...
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
