coapp-developers team mailing list archive

Thread
Date

Re: Codesigning for the masses.

To: Mark Stone <mark.stone@xxxxxxxxx>
From: "William A. Rowe Jr." <wmrowe@xxxxxxxxx>
Date: Wed, 04 Jan 2012 15:47:35 -0600
Cc: "coapp-developers@xxxxxxxxxxxxxxxxxxx" <coapp-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAPD-qM1=b3xOAMw=+4=0RTwLcADk-NSmJ2CaYj9wzSHhOsXE-A@mail.gmail.com>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0

On 1/4/2012 1:31 PM, Mark Stone wrote:
> 
> I guess my first question would be: "If this is such a great idea, why isn't it already
> being done elsewhere?". 

It is... that's precisely what most packagers do, they ship out their
pgp keys and have the user add this to their web of trust in order to
accept packages for the new version / validated by the new pgp key.

On windows, it isn't... I think nobody's had the balls to replace the
root chain.  I half expect a long rant from Gibson explaining how CoApp
seeks to eliminate all the security from the internet :-P

Brilliant Garrett, as the 'umbrella' of a distinct 'environment', it
seems entirely sensible to inject a root key and treat this a WoT.  If
we have the capacity, it would be helpful to inject the OCSP authority
and set up an OCSP responder.

Of course code signing and revocation all mean nothing with system
services at startup time, prior to having a useful network stack.

Follow ups

Re: Codesigning for the masses.
From: Garrett Serack, 2012-01-04

References

Codesigning for the masses.
From: Garrett Serack, 2012-01-04
Re: Codesigning for the masses.
From: Mark Stone, 2012-01-04