A mighty fortress is our PKI, Part II
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Aug 5 01:37:54 EDT 2010
David-Sarah Hopwood <david-sarah at jacaranda.org> writes:
>Huh? I don't understand the argument being made here.
It's a bogus argument, the text says:
He took a legitimate software package and removed the signature of the
digital certificate it contained, then installed the package on his
computer. The Installer application didn't indicate that the certificate had
been modified.
The certificate wasn't modified, they just stripped the signature from the
executable.
"Only an expert will be able to detect a problem," Schouwenberg said. "And
all Microsoft will tell you is that the file is not signed."
And what else should Windows say? "We put this through our time machine and
noticed that at some time in the past it was signed and now it isn't"?
The rest of the story isn't much better:
The Stuxnet worm, which surfaced last month, used fake Verisign digital
certificates
No, they were genuine certs, just in the wrong hands.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list