From: jim bell <jimbell@pacifier.com>
Date: Sun, 23 Feb 1997 18:23:12 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: It is time to break Authenticode
Message-ID: <199702240222.SAA13104@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 08:09 PM 2/23/97 -0500, lucifer Anonymous Remailer wrote:
>Microsoft's recent arrogant and irresponsible reply to the Chaos
>Computer Club hack on ActiveX requires response. An effective response
>would be to steal the key of a major code signer and produce a signed,
>malicious ActiveX control. Such an attack would demonstrate the
>serious problems of Microsoft's security philosophy.
>
[trim]
>
>The best avenue of attack is stealing the secret key of a respected
>code signer. The target should be one of the major players, if not
>Microsoft itself. Someone is sloppy to store their secret key on a
>machine hooked to the Internet. Stealing it would be a very nice
>challenge. It should be doable.

I can think of an easier way.  If the goal is simply to demonstrate that the 
system can be broken, how about offering a not-insignificant amount of money 
to anonymous person who manages to successfully get code signed?  No 
exposure is necessary, just the signature done once.



Jim Bell
jimbell@pacifier.com