From: "L. Todd Masco" <cactus@bb.com>
Date: Mon, 29 Aug 94 16:14:47 PDT
To: Brad Huntting <cypherpunks@toad.com
Subject: Re: Announcing Bellcore's Trusted Software Integrity (Betsi) System
In-Reply-To: <199408292212.SAA08717@bb.com>
Message-ID: <199408292319.TAA09586@bb.com>
MIME-Version: 1.0
Content-Type: text/plain



Brad Huntting writes:
 > Many Mac viruses that I've seen come straight from Microsoft neatly
 > sealed in plastic on brand new disks.  If they signed them it would
 > not increase my confidence one iota.

How would getting Betsi to sign them increase your confidence?  Betsi
 doesn't seem to claim to do any testing of the software, they just
 verify that it was really Bill Gates' company (in this example) that
 shipped the Microsoft product.  BFD -- they can buy their own ViaCrypt
 PGP.

I think people are missing my point: that having a third party sign
 your software without any testing (Betsi is free, after all) adds
 *nothing* except for a human-to-name mapping, and increases the
 risk of the signature being compromised.

Now, there probably is a market for somebody who tests the software
 first and then certifies it -- in fact, that will probably be a big
 business in the future, one I can easily see someone like Cygnus getting
 into.  But that's not what Betsi claims to do, and I certainly don't
 want to contemplate the legal issues (do you get your ass sued off when
 you're wrong?  Almost certainly) involved with anybody trying to do that.
--
L. Todd Masco  | "Which part of 'shall not be infringed' didn't
cactus@bb.com  |   you understand?"