What is the value of "Signing"?
Firstly, have a look at the scr56en.exe installer for WS 5.6b1.
Right click it and you will notice that "Digital Signatures" pane.
That is because most of Microsoft's exes, installers etc.. are
digitally signed. This provides some assurance that the
application has not been tampered with, and indicates which
certificate was used to sign it (in MS case, a Class 3 VeriSign
Software Publishers certificate).
Code-signing is quite prevalent in win2000. All the important
system drivers have signature values (hash values) stored in
cat files, which the system uses in its File Protection architecture.
The web model for privileged code has been around for some time.
The idea here is that active content (Java, script) running within
an automatically downloaded web-contect should have very
limited capability. This means very limited web-based client app
functionality. Code-signing provides a PKI-based approach to
authenticating and verifiying integrity of such downloaded code,
opening up the door for very powerful web-based apps. as powerful
as standalone local applications on the desktop. This will become
ever-more important for ecommerce.
The promise of locking down all apps on the win32 Whistler desktop
is merely extending this philosophy right down to the desktop environ.
Since the win32 OS has been so tightly integrated with the Internet. it
becomes necessary to ensure a more secure environment. Code-signing
application, and scripts along with the ability to lock-out execution of
non-signed applications/scripts provides a very good model, but it does
NOT relieve the end user completely of their "trust" decision.
Of course, such technology can never replace the all important trust
decision that must be made, based on the signature found on a particular
script, exe, ActiveX control, dll etc.. This has always been the case.
It DOES provide a reasonable path for (1) tracing the signer, (2) who issued
that signer's ceritifcate, and (3) indicates if the signed item has been modified.
The only danger I forsee is possible "cut rate" Certificate Authority shops
springing up, to compete with the "brand name" CAs (Thawte, Verisign etc..).
This requires carefully monitored control over CA issuance practices.
The list of "trusted CAs" contained in the Microsoft cert database, browser
cert databases (Netscape cert7.db file etc..) most be regulated carefully.
IT departments in this regard are accountable for customized intranet configurations.
When considering some application that is digitally signed, here is the
logic that one might use:
(1) where did the signed item come from (email attachment, web-download, ftp dnld
(2) do I know who actually signed that code? is the signer the actual AUTHOR of the
(3) is the signed item intact (verifiable) ?
(4) is the issuing root CA certificate recognized in my CA cert database?
(5) if you do NOT personally know the holder of the code-signing certificate, then
you should check the issuers list of "revoked" ceritficate holders.
(6) do you know why the author signed the code? is it their posted practice?
Note that several of these questions are ones you should typically ask
before opening/running ANY execuable/script of ANY type, from email or otherwise.
Rememer that there is nothing preventing a hacker from obtaining a code-signing
certificate, although he/she must provide some verifiable personal authentication
information, and pay >~$100 / year.
Hope this helps a bit.
-- Mitch Gallant
> Microsoft has just put forth a great effort (and tossed aside many other
> worthy candidates) in order to include "Signing" in the latest version of
> wsh. It has been alleged that "Signing" will rescue the world of scripting,
> as we know it, from certain oblivion...
> As a practical matter, the only effect that I can see from signing is that
> it includes a humdred lines of indecipherable "gobble-de-gook" into your
> Otherwise, my only other exposure to "Signing" has been to be presented with
> a couple dialogs over the past four years or so, asking me if I wanted to
> install a certain add-in, "Signed" by a certain corporation. My answer was
> always: "NO!". If I want something installed, I'll install it myself, thank
> you very much.
> After such a limited exposure, and having the perception of "Signing" as
> being of very limited value (if any), I would appreciate very much if
> somebody would take the time to explain why Microsoft thought "Signing" was
> so important, and what value "Signing" will have to me as an amateur
> thanks in advance for any help, jw