- From: John Lyle <john.lyle@cs.ox.ac.uk>
- Date: Thu, 03 Jan 2013 11:50:21 +0000
- To: public-sysapps@w3.org
On 03/01/13 10:55, Janusz Majnert wrote: > >> If the device owner allows applications that are *not* from a known >> authority (the second clause in this paragraph) then applications should >> still be signed. This allows for subsequent identification of authentic >> updates. I can't see a particularly good reason to allow unsigned apps, >> although I would be interested in any use cases that made a good case >> for it.I realise that I did not include threats related to application >> updatein the threat model, I'll fix that. > From a security/authenticity standpoint, I don't think there is much > difference between applications signed using an untrusted chain and > those not signed at all. I disagree. Unknown or self-signed certificates allow for re-authentication. Although the original signature might use a key with an unknown certificate, subsequent signatures using the same key can be compared to the first. This allows a runtime environment to verify that an update to an application came from the same author, even if the author's certificates are not from a known entity. I agree that they have no more value for the initial installation of the application than a hash. > > >> The alternative is to insist on known distributors and rely upon the >> security of the distribution mechanism rather than the integrity and >> authenticity of the individual application package. There are advantages >> and disadvantages to both approaches, but using signed application >> packages allows for several different distribution systems. > As for relying on a known distributor list, I think that this is > actually not an alternative, but rather a necessary condition for > knowing which applications are to be trusted and which not. I think I might have been creating unnecessary confusion here. What I meant was: if you can ensure that all apps on your system were downloaded only from known app stores using secure connections, you could argue that the apps themselves don't need to be signed, because the transport mechanism guarantees their integrity and authenticity. I'm not arguing that, though. With a widget-like signature scheme you can obtain an application from anywhere - a completely unauthenticated source - and rely on the signatures included in the package to guarantee that the application came from a known authority. > > In other words, to know which applications are not from a known > authority, you already need some sort of list of those authorities > that you know. Yes, of course. My point was that you can enforce this either when you download the application, or when you inspect the application package itself. > > As for relying on the security of the distribution mechanism, you > wrote earlier that the aim was to allow for Android style signing. > Correct me if I'm wrong, but I think Android relies heavily on their > app store solution. Yes. But by "security of the distribution mechanism" I really meant "how apps are downloaded" rather than how they are discovered, updated, and so on. I hope that makes more sense. Best wishes, John
Received on Thursday, 3 January 2013 11:50:42 UTC