[cryptography] How are expired code-signing certs revoked?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Dec 11 02:58:58 EST 2011

Jon Callas <jon at callas.org> writes:

>If someone actually built such combination of OS and marketplace, it would
>work for the users very well, but developers would squawk about it. Properly
>done, it could drop malware rates to close to nil.

Oh, developers would do more than squawk about it.  Both Java and .NET
actually support the capability-based security that you mentioned, but it's so
painful to use that it's either turned off by default (.NET's 'trust
level="Full"') or was turned off after massive developer backlash (Java).
Even the very minimal capabilities used by Android are failing because of the
dancing bunnies and confused deputy problems, and because developers request
as close to any/any as they can get just in case (exacerbating the confused
deputy problem).

(One of the nice things about Android is that it's fairly easy to decompile
and analyse the code, so there have been all sorts of papers published on its
capability-based security mechanisms using this technique.  It's serving as a
nice real-world empirical evaluation of failure modes of capability-based
security systems.  I'm sure someone could get a good thesis out of it at some

>Properly done, it could drop malware rates to close to nil.

Objection, tautology: Properly done, any (malware-related) security measure
would drop malware rates close to nil.  The problem is doing it properly...


More information about the cryptography mailing list