What is the value of "Signing"? 
Author Message
 What is the value of "Signing"?

Microsoft has just put forth a great effort (and tossed aside many other
worthy candidates) in order to include "Signing" in the latest version of
wsh.  It has been alleged that "Signing" will rescue the world of scripting,
as we know it, from certain oblivion...

As a practical matter, the only effect that I can see from signing is that
it includes a humdred lines of indecipherable "gobble-de-gook" into your
script.

Otherwise, my only other exposure to "Signing" has been to be presented with
a couple dialogs over the past four years or so, asking me if I wanted to
install a certain add-in, "Signed" by a certain corporation.  My answer was
always: "NO!".  If I want something installed, I'll install it myself, thank
you very much.

After such a limited exposure, and having the perception of "Signing" as
being of very limited value (if any), I would appreciate very much if
somebody would take the time to explain why Microsoft thought "Signing" was
so important, and what value "Signing" will have to me as an amateur
scripter...

thanks in advance for any help, jw



Mon, 19 May 2003 03:00:00 GMT  
 What is the value of "Signing"?
Firstly, have a look at the scr56en.exe installer for WS 5.6b1.
Right click it and you will notice that "Digital Signatures" pane.
That is because most of Microsoft's exes, installers etc.. are
digitally signed. This provides some assurance that the
application has not been tampered with, and indicates which
certificate was used to sign it (in MS case, a Class 3 VeriSign
Software Publishers certificate).

Code-signing is quite prevalent in win2000. All the important
system drivers have signature values (hash values) stored in
cat files, which the system uses in its File Protection architecture.

The web model for privileged code has been around for some time.
The idea here is that active content (Java, script) running within
an automatically downloaded web-contect should have very
limited capability. This means very limited web-based client app
functionality. Code-signing provides a PKI-based approach to
authenticating and verifiying integrity of such downloaded code,
opening up the door for very powerful web-based apps. as powerful
as standalone local applications on the desktop. This will become
ever-more important for ecommerce.

 The promise of locking down all apps on the win32 Whistler desktop
is merely extending this philosophy right down to the desktop environ.
Since the win32 OS has been so tightly integrated with the Internet. it
becomes necessary to ensure a more secure environment. Code-signing
application, and scripts along with the ability to lock-out execution of
non-signed applications/scripts provides a very good model, but it does
NOT relieve the end user completely of their "trust" decision.

Of course, such technology can never replace the all important trust
decision that must be made, based on the signature found on a particular
script, exe, ActiveX control, dll etc..   This has always been the case.
It DOES provide a reasonable path for (1) tracing the signer, (2) who issued
that signer's ceritifcate, and (3) indicates if the signed item has been modified.

The only danger I forsee is possible "cut rate" Certificate Authority shops
springing up, to compete with the "brand name" CAs  (Thawte, Verisign etc..).
This requires carefully monitored control over CA issuance practices.
The list of "trusted CAs" contained in the Microsoft cert database, browser
cert databases (Netscape cert7.db file etc..) most be regulated carefully.
IT departments in this regard are accountable for customized intranet configurations.

When considering some application that is digitally signed, here is the
logic that one might use:
 (1) where did the signed item come from (email attachment, web-download, ftp dnld
..)
 (2) do I know who actually signed that code?  is the signer the actual AUTHOR of the
code????
 (3) is the signed item intact (verifiable) ?
 (4) is the issuing root CA certificate recognized in my CA cert database?
 (5) if you do NOT personally know the holder of the code-signing certificate, then
       you should check the issuers list of "revoked" ceritficate holders.
 (6) do you know why the author signed the code? is it their posted practice?

Note that several of these questions are ones you should typically ask
before opening/running ANY execuable/script of ANY type, from email or otherwise.

Rememer that there is nothing preventing a hacker from obtaining a code-signing
certificate, although he/she must provide some verifiable personal authentication
information, and pay >~$100 / year.

Hope this helps a bit.
Cheers,
 -- Mitch Gallant

Quote:

> Microsoft has just put forth a great effort (and tossed aside many other
> worthy candidates) in order to include "Signing" in the latest version of
> wsh.  It has been alleged that "Signing" will rescue the world of scripting,
> as we know it, from certain oblivion...

> As a practical matter, the only effect that I can see from signing is that
> it includes a humdred lines of indecipherable "gobble-de-gook" into your
> script.

> Otherwise, my only other exposure to "Signing" has been to be presented with
> a couple dialogs over the past four years or so, asking me if I wanted to
> install a certain add-in, "Signed" by a certain corporation.  My answer was
> always: "NO!".  If I want something installed, I'll install it myself, thank
> you very much.

> After such a limited exposure, and having the perception of "Signing" as
> being of very limited value (if any), I would appreciate very much if
> somebody would take the time to explain why Microsoft thought "Signing" was
> so important, and what value "Signing" will have to me as an amateur
> scripter...

> thanks in advance for any help, jw



Mon, 19 May 2003 03:00:00 GMT  
 What is the value of "Signing"?
thanks, that was a mighty effort in itself.  I still don't quite comprehend
it all, but maybe it will become more clear over time, jw



Quote:
> Firstly, have a look at the scr56en.exe installer for WS 5.6b1.
> Right click it and you will notice that "Digital Signatures" pane.
> That is because most of Microsoft's exes, installers etc.. are
> digitally signed. This provides some assurance that the
> application has not been tampered with, and indicates which
> certificate was used to sign it (in MS case, a Class 3 VeriSign
> Software Publishers certificate).



Tue, 20 May 2003 03:00:00 GMT  
 What is the value of "Signing"?
Don't worry about it. "Baby steps" ... etc..
When you work with it all, or just interact with it
from an end-user perspective, it will start to make more sense.

The trick is to figure out which part of the security
infrastructure you really need to worry about, and what
you don't. This comment also applies to applications developers.
Cheers,
 -- Mitch Gallant

Quote:

> thanks, that was a mighty effort in itself.  I still don't quite comprehend
> it all, but maybe it will become more clear over time, jw



> > Firstly, have a look at the scr56en.exe installer for WS 5.6b1.
> > Right click it and you will notice that "Digital Signatures" pane.
> > That is because most of Microsoft's exes, installers etc.. are
> > digitally signed. This provides some assurance that the
> > application has not been tampered with, and indicates which
> > certificate was used to sign it (in MS case, a Class 3 VeriSign
> > Software Publishers certificate).



Tue, 20 May 2003 03:00:00 GMT  
 What is the value of "Signing"?
In a corporate environment it means that a policy can be applied to all
desktops which allows only signed scripts to be executed.

Regards,
Ian
WSH FAQ http://www.windows-script.com


Quote:
> Don't worry about it. "Baby steps" ... etc..
> When you work with it all, or just interact with it
> from an end-user perspective, it will start to make more sense.

> The trick is to figure out which part of the security
> infrastructure you really need to worry about, and what
> you don't. This comment also applies to applications developers.
> Cheers,
>  -- Mitch Gallant


> > thanks, that was a mighty effort in itself.  I still don't quite
comprehend
> > it all, but maybe it will become more clear over time, jw



> > > Firstly, have a look at the scr56en.exe installer for WS 5.6b1.
> > > Right click it and you will notice that "Digital Signatures" pane.
> > > That is because most of Microsoft's exes, installers etc.. are
> > > digitally signed. This provides some assurance that the
> > > application has not been tampered with, and indicates which
> > > certificate was used to sign it (in MS case, a Class 3 VeriSign
> > > Software Publishers certificate).



Wed, 21 May 2003 03:00:00 GMT  
 What is the value of "Signing"?
Thanks Ian, that I DO understand.

Still, as a "home-brew" scripter, it has absolutely no value to me.

cheers, jw


Quote:
> In a corporate environment it means that a policy can be applied to all
> desktops which allows only signed scripts to be executed.

> Regards,
> Ian
> WSH FAQ http://www.windows-script.com



Sat, 24 May 2003 03:00:00 GMT  
 
 [ 6 post ] 

 Relevant Pages 

1. datepart("h", mytime), problem with AM and PM

2. Disabling "BACK"/"FORWARD" buttons

3. CreateObject("Excel","//server"), MsgBox output

4. Problem With "window.showmodaldialog("")"

5. Disabling "BACK"/"FORWARD" buttons

6. Encoded system names and their "values"

7. Help with the "Nothing" value

8. Storing values in an "artificial" session

9. RegDelete "Default value" of a key

10. Using RegWrite with "\"'s in Value names

11. ADO returns "undefined" value

12. How to Replace("String Irregular # of space", "?", "")

 

 
Powered by phpBB® Forum Software