[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: code signing and security flaws

Subject: Re: code signing and security flaws
From: Damien Sorresso <email@hidden>
Date: Thu, 17 Jul 2008 15:14:53 -0700
Delivered-to: email@hidden
Delivered-to: email@hidden

On Jul 17, 2008, at 1:41 PM, Nathan Herring wrote:

You, as an employee of ExampleCorp, code sign v1 of ExampleApp with your code signing intermediate certificate authority that's in turn ultimately signed by a standard Apple-trusted root. You release ExampleApp into the wild.
Later, security experts show that ExampleApp v1 has a security flaw.
You fix the flaw in ExampleApp v1.0.1, code sign it, and release it into the wild.

Now, unless you have a fancy software update mechanism associated with ExampleApp and the fancy software update mechanism has not been turned off by the consumers of ExampleApp, or all of your consumers read their security bulletins from you quickly, [the consumers of your app, who may then take issue with] you have a problem. They may still be running v1 and thus be vulnerable.

You _could_ revoke the certificate associated with v1, so that unless the users also frustrated CRL/OSCP operation, Mac OS X would not trust the code signing certificate.


Nathan,

This is not the problem code signing is meant to solve. Code signing will only answer the question "Have these bits been modified since being signed?" Or more conceptually, code signing assigns a verifiable, provable identity to a piece of code. That's it.

Users should *never* correlate trust of a signature with known security vulnerabilities. And you, as a developer, should not encourage such an expectation, since it raises a bunch of problems (which you enumerate in your e-mail), has nothing to do with the identity of the code and imbues a false sense of security.

You should not revoke a certificate for reasons unrelated to the security of the certificate itself or the identity of your organization. If the certificate has not been compromised or you're not changing CAs or something along those lines, there's no reason to revoke the certificate.

Your issue is best addressed by a software update mechanism like Sparkle or a custom-rolled one (it's not that hard to do). -- Damien Sorresso Mac OS X Update Integration Apple Inc. email@hidden

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: code signing and security flaws
  - From: Nathan Herring <email@hidden>

References:
	>code signing and security flaws (From: Nathan Herring <email@hidden>)

Prev by Date: code signing and security flaws
Next by Date: Re: code signing and security flaws
Previous by thread: code signing and security flaws
Next by thread: Re: code signing and security flaws
Index(es):
- Date
- Thread

Home