Subject: Policy-Discussion
List archive
- From: Iang <iang AT iang.org>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well
- Date: Thu, 06 Dec 2007 12:17:38 +0100
- List-archive: <https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
Philipp Gühring wrote:
Hi,
Perhaps some more input on this topic:
http://www.schneier.com/essay-092.html
http://www.schneier.com/blog/archives/2005/10/liabilities_and.html
It seems that Schmidt will get his test case then. Do people think that code-signing certificate holders should be responsible for insecure code?
If so, it would be easier to state that up front, perhaps in the policy for code-signing assurance.
Either way, code-signers will be liable for claims in front of the Arbitrator, so even if the Arbitrator doesn't rule them liable, the risk is still there that he could.
Which would lead to the next article:
http://www.schneier.com/blog/archives/2007/04/a_security_mark.html
Which makes the interesting claim that companies know how to do security. If a market for lemons, CAcert should be able to then define security and impose it on signed-code cert holders. This is what is being intimated by Schneier, and to backup this, note that Nokia do code reviews...
Also, note that Schneier says that security is an economic problem not a technology problem. Interesting challenge to free certs...
So what does CAcert do?
iang
PS: I argue elsewhere that security isn't a market for lemons, and companies don't know how to do security.
https://www.financialcryptography.com/mt/archives/000759.html
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Hans Verbeek, 12/05/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Philipp Gühring, 12/06/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OAshould as well, Greg Stark, 12/06/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Iang, 12/06/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Philipp Gühring, 12/07/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Bernhard Froehlich, 12/06/2007
- <Possible follow-up(s)>
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Hans Verbeek, 12/06/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Jens Paul, 12/07/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Teus Hagen, 12/07/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Jens Paul, 12/07/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Teus Hagen, 12/07/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Jens Paul, 12/07/2007
- Re: [CAcert-Policy] Photo ID required for Code Signing Maybe OA should as well, Philipp Gühring, 12/06/2007
Archive powered by MHonArc 2.6.16.