Jean-Marc Desperrier wrote: > But I'd like to point out I'm not the only who is doubtful about the > real level of authentication current commercial CA provide for code > signing certificate. > > See this SyScan'07 presentation : > http://www.symantec.com/avcenter/reference/attack.surface.analysis.of.blackberry.devices.pdf
I'm generally skeptical of such reports. It is now quite evident that those who make their reputation is finding fault with others' software often resort to sensationalism to make their finding seem more important than it is. But in this case, I have another comment... > Malicious Code Signing chapter : > "signatures can still be obtained with relative ease and anonymity. > Code-signing keys can be obtained anonymously via the use of prepaid > credit-cards and false details. Pre-paid credit cards can be bought and > charged locally with cash without the requirement of presenting I.D.8 If you can identify a CA that sells *code signing* certs on that basis, requiring no more than a valid credit card for issuance, and who is in mozilla's trusted cert list, please report that CA here to us. IMO, a simple demonstration of it is sufficient reason to remove the code signing trust from that CA's cert. If no such CA can be identified, then this appears to be another case of sensationalism. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
