Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 06 April 2009 13:46 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ED27A28C158 for <saag@core3.amsl.com>; Mon, 6 Apr 2009 06:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CC1ZEij1v22n for <saag@core3.amsl.com>; Mon, 6 Apr 2009 06:46:34 -0700 (PDT)
Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by core3.amsl.com (Postfix) with ESMTP id EF3F83A698F for <saag@ietf.org>; Mon, 6 Apr 2009 06:46:31 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id A1E039F2BE; Tue, 7 Apr 2009 01:47:36 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2mdHGh8nCi4; Tue, 7 Apr 2009 01:47:36 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 5610C9F2B7; Tue, 7 Apr 2009 01:47:36 +1200 (NZST)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 637171DE4001; Tue, 7 Apr 2009 01:47:35 +1200 (NZST)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1LqpAl-0000em-7S; Tue, 07 Apr 2009 01:47:35 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: benl@google.com, tlr@w3.org
In-Reply-To: <1b587cab0904060608x14ccee52g2d16c4e780f8cd5@mail.gmail.com>
Message-Id: <E1LqpAl-0000em-7S@wintermute01.cs.auckland.ac.nz>
Sender: pgut001 <pgut001@cs.auckland.ac.nz>
Date: Tue, 07 Apr 2009 01:47:35 +1200
Cc: art.barstow@nokia.com, Frederick.Hirsch@nokia.com, saag@ietf.org
Subject: Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2009 13:46:41 -0000

Ben Laurie <benl@google.com> writes:

>I find it pretty annoying that signing widgets is described as a "trust and
>quality assurance mechanism".

It's a valid comment though.  A large-scale study (from Microsoft's malware
research group) has shown that the majority of CA-certified signed malware is
in the "severe" or "high-risk" category.  So seeing a signature on malware
provides a high level of trust that this is the high-quality stuff you're
seeing and not some cheap knockoff.

Peter.