Code Signing For Small Software Developers « Thread Started on Nov 4, 2009, 2:46pm »
'With the coming of the information age, communication with others has never been easier. Likewise, the capacity for mis-information has kept pace lockstep. When you distribute data electronically, you may find that there are times when others wish to authenticate data as truly being offered by the stated individual(s). Not an unreasonable request...'
I shall conquor the worl..... Ooooo, pretty blinking LED lights!
Joined: Dec 2006 Gender: Male Posts: 623 Location: In my mind
Re: Code Signing For Small Software Developers « Reply #5 on Nov 4, 2009, 10:45pm »
Check your spelling on your article Michael, I see one spelling error right off.... "It solely confirms the data has not been tapered with" should be "It solely confirms the data has not been tampered with".
I shall conquor the worl..... Ooooo, pretty blinking LED lights!
Joined: Dec 2006 Gender: Male Posts: 623 Location: In my mind
Re: Code Signing For Small Software Developers « Reply #6 on Nov 4, 2009, 10:51pm »
Ok, so this sounds like something that some of us might want to get together over. As I read it, it helps if several holders of keys endorse each other. Did I read that right?
Re: Code Signing For Small Software Developers « Reply #7 on Nov 5, 2009, 9:09am »
Yep, Garrett just let me know if you need someone to sign your key, & I'll add you to my keyring. I've got two keys on my ring now (part of the reason I wrote this was to help me recall all the details...) And make no mistake about it... there are projects that only allow signed code in the door from the get-go like Apache.
I want to point that, codesigning in this manner will not prevent IE from throwing up a message about your downloads being 'unknown'. So far, only a handful of CA's are 'hardcoded' into Windows browsers. CA's are automatic though, where a WOT is manual out of the box (but can be automated with scripts). I simply can't justify the cost (200-500 USD!)
Now while I've always defended closed-source (its either free, or its not, no biggie to me), this is one area I'm squarely on the open source side of things... With CA's, the only bar is money... there is no trust involved, if you can pay you're in. With PGP, & GPG, your trust rating is just like your credit rating, in other words you can grade a key on your ring as trusted, sorta trusted, no faith in a key at all... You cant do that with a CA, the CA is the -sole deciding party-...
2ndly in a WOT, its decentralized, if a CA is sold to another party, or unavailable, you cant validate a certificate. With the open way, if I cant validate your key, I could always go through (say Jer) to do it. Its just a better way in my thinking, makes more sense.
Okay, updated the article for the spelling error, & added a thought or two... thanks.
![[Home]](http://s1.images.proboards.com/menu/home.gif)
![[Help]](http://s1.images.proboards.com/menu/help.gif)
![[Search]](http://s1.images.proboards.com/menu/search.gif)
![[Login]](http://s1.images.proboards.com/menu/login.gif)
![[Register]](http://s1.images.proboards.com/menu/register.gif)
![[Search This Thread]](http://s1.images.proboards.com/search2.gif)
![[Send Topic To Friend]](http://s1.images.proboards.com/buttons/sendtopic.gif)
![[Print]](http://s1.images.proboards.com/buttons/print.gif)
Author
![[avatar]](http://topcat.hypermart.net/glyphs/fastfood.gif)
![[homepage]](http://s1.images.proboards.com/buttons/www_sm.gif)
Logged![[avatar]](http://www.paraboliclogic.com/garrett84b.png)
![[avatar]](http://hytext.com/images/muscleman.jpg)
