Antw: Re: Security hole: Digital Signing + Downloadable fonts

[plipp <plipp@xxxxxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----

>It's not a question of character sets, as the font just takes a value and
>spews out a corresponding bitmap.  Whether the underlying encoding is
>ASCII, UNICODE or some other thing makes no difference.  (Not to
>trivialize character set issues -- I just don't think they quite apply
>here.)
>
>In my mind, this is also a separate issue from PKIs or digital signatures.
>If someone's going to intentionally set out to mislead people, there's not
>much technology can do about it.  Even if a solution is found for this
>particular problem, something else is bound to crop up.  Just because
>someone can make an authenticable digital signature doesn't mean that they
>can't lie.

I fully agree. Thats what I meant with the need for trust into the application.
This can be handled only by other means, e.g. by some process of verifying that
the code used for signing takes care that situations as described cannot occur and that
the user always signs what he sees.

Peter



Peter Lipp, IAIK, University of Technology, Graz
Institute for Applied Information Processing and Communications
Klosterwiesgasse 32/I, A-8010 Graz, +43 316 873 5513
________________________________________________________________________
Was nützt die beste Erziehung, die Kinder machen uns ja doch alles nach.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQB1AwUBMqniGuXj1H8hSibZAQGeEQL+JcJQ6Mp9sy89O1ur+E1PvdY/Zyt9cPpz
DhWu9MKyn4l2YV3WOs9ONiS4b30/C8on8Nxhzc+t9Ufp2hpFt+6IRnneI9VV+7mQ
NGPFHvRDI/nUsrNVh4apte2v8iHSjlJP
=EO/+
-----END PGP SIGNATURE-----