Code Signing Can Be Trusted (but not blindly)
Posted by Craig H on 8 April 2009
Ben Laurie, who certainly knows security, and is a top bloke for the work he has done on FreeBMD, posted yesterday on why signatures don’t provide assurance of trustworthiness or quality.
I have to respectfully disagree on this. The context is the W3C widget signing specification, and the wording in that spec that is at issue is:
Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism.
If third-party CAs issue code signing certificates to widget authors, and the device trusts the widget authors’ signatures, then I agree it won’t assure either trustworthiness or quality. I think that’s the model Ben is criticising (as in Microsoft Authenticode) and I agree with him so far as that goes. There is, however, an alternative model which is the one that Symbian Signed has been successfully using for the past several years: the device doesn’t trust the developer’s signature, but the developer submits their signed application to a certification programme, which enforces acceptance criteria before re-signing the application with a different signature that is trusted by the device.
You can of course argue with the specific acceptance criteria, but surely this model can theoretically provide assurance of trustworthiness or quality, and the W3C widget signing spec can be used with that sort of signing scheme.