Policy-Discussion

[Jac Kersing <j.kersing AT the-box.com>]

On Sat, 24 Nov 2007, Philipp [utf-8] G??hring wrote:

> Then you haven??t seen Nokia yet. As far as I know, Nokia has a requirement
> for external code-audits to get the software for their platform signed.
> And I think they are using external companies to do the audits, and also
> external CA??s to issue the certificates, but I don??t remember who actually
> does the signature then.

Nokia specificaly acts as a code clearing house. To have code signed for 
symbian devices you request a testing house to test it and if it passes 
all tests they will sign it. The developer applying for 'symbian signed' 
approval for an application does not sign the code, the testing house 
does. I don't think Nokia can be considered a full CA...

> The same thing with some kinds of Windows-Drivers. Microsoft reviews and 
> tests them and signs them.

Yes, Microsoft signs, not the developer.

> So I would say that we have the general code-signing market where identity,
> deterrance and trustworthyness (hmm, the more I think about it, the more I
> have the feeling that "trust" is actually the word/thing we need for
> code-signing additionally to identity) counts.

Agreed.

> But I see the problem that those platform markets are quite costly, and 
> that some platform owners might want to switch to CAcert code-signing, 
> if they feel that CAcert provides the necessary level of identity+trust 
> for their platform, (and they find technical means to ensure the 
> security and safety of their platform, that don??t need code-signing)

The cost for those markets are not the certificates. The cost is in the 
testing of the applications. (And audits)

Regards,

Jac

---
 Jac Kersing            Technical Consultant   The-Box Development
 
j.kersing AT the-box.com
     CISSP   RHCE        http://www.the-box.com