Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes, but quis custodiet ipsos custodes?

With the driver's license, the police officer can usually easily see if you've been behaving like someone who found their license in a packet of chips or not.

Does the certificate issuer perform any kind of due diligence to determine if the certificate should be given to this program?

Racket protection's determining characteristic is that the outfit can't care less what you do as long as you pay your dues and don't cross them. And if you don't, it doesn't matter how upright a citizen you are or how paranoid about safety you are, your shop will burn.



The code-signing certificate says nothing about whether the program is worthy. The code-signing certificate authenticates the publisher. That's how it's supposed to be used. The due diligence for code security is up to the publisher, because they're staking their reputation by certifying it.

The certificate authorities are separately run, by the way. I don't know how you could say Microsoft has a protection racket when they accept certificates from disparate authorities.

Code-signing certificates enable users to discern reputation. A certificate confers a reputation and not holding a certificate means an unknown reputation.

If I drive a car without a license, I can probably drive that car for years as long as I'm obeying laws and not causing trouble. A police officer who pulls me over may perhaps not ask for a license after all, but he doesn't know my reputation of obeying traffic laws; he's got to check my privilege. A driver's license in my jurisdiction carries reputation beyond just the driving privilege: infractions will rack up points.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: