[sldev] OpenID & SSL certificates

dirk husemann hud at zurich.ibm.com
Tue Oct 2 22:25:20 PDT 2007 

Argent Stonecutter wrote:
> On 01-Oct-2007, at 22:05, Ryan McDougall wrote:
> [...]
>> Only if you care if your users get told that they may be running an
>> unknown viewer.
>
> OK, let me get this straight.
>
> If my viewer is legitimate but I haven't got a certificate, the LL
> server will send the viewer a message to tell the user that the viewer
> may not be legitimate, which being legitimate, I'll pass on to them.
>
> If my viewer is crocked, the LL server will still send the viewer a
> message, but the crocked viewer will hide it, and thus it will appear
> more legitimate than the legitimate viewer that hasn't jumped through
> the certificate hoops.
to be fair, LL could send that message via email; that is, out-of-band.
how much good that would do is another issue...
[...]
>> All the linux distros' package security currently works like this.
>
> Ah, that's right, Linux does have half a dozen crack-brained packaging
> schemes that involve trusting third-party repositories, harking back
> to the days when Linus was using well-known FTP servers like BBSes
> instead of running his own site, and because Linux doesn't actually
> have a core OS... it's thousands of packages flying in close
> formation. That doesn't apply here, because that's not how software
> gets distributed outside the Linux world.
>
> Unless Linden Labs does the signing, this wouldn't provide any more
> assurance for Joe's Viewer than the fact that it was downloaded from
> the website where joe published his public key.
again, to be fair: with well-known keys that does work. you are right
that the mechanism alone is no guarantee at all --- also, with the linux
distros the signature does not guarantee that the code is bona fide
(i.e., not doing anything on the shady side of things), it just
guarantees that the package has not been tampered with since it left the
hands of the signer... it could carry the guarantee semantics but nobody
in their right mind is going to do that...

the real question is: does LL want to become involved in vetting viewer
code? if i were LL i'd rather spend my resources on more promising and
profitable things.

code signing is nice to guarantee integrity, but that's about it, i'd claim.

    cheers
    dirk

-- 
dr dirk husemann, pervasive computing, ibm zurich research lab
--- hud at zurich.ibm.com --- +41 44 724 8573 --- SL: dr scofield

More information about the SLDev mailing list