[cryptography] How are expired code-signing certs revoked?

Jon Callas jon at callas.org
Sun Dec 11 18:12:12 EST 2011

On 10 Dec, 2011, at 11:58 PM, Peter Gutmann wrote:

> Jon Callas <jon at callas.org> writes:
>> If someone actually built such combination of OS and marketplace, it would
>> work for the users very well, but developers would squawk about it. Properly
>> done, it could drop malware rates to close to nil.
> Oh, developers would do more than squawk about it.  Both Java and .NET
> actually support the capability-based security that you mentioned, but it's so
> painful to use that it's either turned off by default (.NET's 'trust
> level="Full"') or was turned off after massive developer backlash (Java).
> Even the very minimal capabilities used by Android are failing because of the
> dancing bunnies and confused deputy problems, and because developers request
> as close to any/any as they can get just in case (exacerbating the confused
> deputy problem).
> (One of the nice things about Android is that it's fairly easy to decompile
> and analyse the code, so there have been all sorts of papers published on its
> capability-based security mechanisms using this technique.  It's serving as a
> nice real-world empirical evaluation of failure modes of capability-based
> security systems.  I'm sure someone could get a good thesis out of it at some
> point).
>> Properly done, it could drop malware rates to close to nil.
> Objection, tautology: Properly done, any (malware-related) security measure
> would drop malware rates close to nil.  The problem is doing it properly...

Yes, doing it properly is the key and I'll assert that Apple is doing a pretty good approximation of it. They are doing more or less what I described -- good coding enforcement backed up with digital signatures. There are plenty of people squawking about it. I know developers who've thrown up their hands and there is plenty of grumpiness I've heard. Some of it reasonable grumpiness, too.

But the end result for the users is that malware rate is close to zero. The system is by no means perfect, and has side-effects. But the times when something slipped through the net are so few that they're notable still. (And some of the malware has been kinda charming, like the flashlight app that had a hidden SOCKS proxy that let people use it for tethering.) More importantly, the system does not throw things at the users that they're incapable of handling, like the Android way of just informing you what capabilities an app needs. People can and do just hand devices to their kids and let them use them with no ill effects.


More information about the cryptography mailing list