On Wed, Dec 24, 2008 at 4:25 AM, Ian G <i...@iang.org> wrote: > PS: on an earlier comment, check this out: > > http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx > > This is, IMHO, the sort of work that Mozilla should be treating as more > important than today's case, because it evidences PRESENT danger.
"In most cases, CAs participating in the Microsoft Root Certificate Program issue code signing certificates to a software publisher who uses the certificate to sign malware. [...] In most cases, CAs participating in the Microsoft Root certificate program are tricked into issuing a valid certificate to the malware author." Uhm... how is it "being tricked" to issue a code signing certificate to a malware author, if the malware author proves his bona fides, and it's issued in the name of the malware author? -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
