|
Posted by =?Utf-8?B?Sko=?= on November 8, 2007, 6:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
you, Microsoft, as you've made clear, is protecting the interest of those who
author all of a sudden?
You just don't want to introduce technologies that would really make a
difference in security. Your products are reactive to what the media and
other true security researchers discover as vulnerabilities. You don't have a
proactive strategy for security in your products.
Do I make myself clear?
"CanSpam" wrote:
> Signing assumes trust to certificates.
> Trust assumes "you are not to be trusted if you say you are who you are", e.g.
someone else (with Reputation) has to sign on it. And those companies don't do
it for free since they are required to check you (Verisign, Thawte, etc... just
look into your Trusted Root CA). And they put their reputation in their
assertion that you and the name in your certificate really match.
> Signing would mean a split fee for a signed image (in the form of a yearly
subscription to a service of a Certificate Authority), paid by author.
> So we (in fact, Microsoft) are better off eliminating exploits in DLLs.
> Do I make myself clear?
>
> > Everyone know that images embedded in Web pages can contain exploits of all
> > kinds. Why doesn't Microsoft and other vendors make it possible to digitally
> > sign images created using their tools just like it's possible to sign a .NET
> > assembly?
> >
> > Or is this already available? I don't know since I'm just a developer. I use
> > images created by Web designers.
> >
> > JJ
>
| 
XML site map