FoRK Archive: Microsoft Authenticode analyzed
`
`Page I of2
`
`l\1icrosoft Authenticode analyzed
`
`Rohit _l(hare (khareei_;pe: .. "tw3_org)
`Afon, 22 Ju! 96 17:52:07-0400
`
`• J'Vicssages SOI"tCd by: r dale U lh.read }r ~ubj ed _U auLhor}
`• Next message: :Rohit Khare: "Andreesen movinl! sioooowly to objects"
`• Previous message: Rohit Khare: "T1rn's co1nments 011 WJC appear i11 PCWeek"
`
`[private wJc editorial comments expurgated]
`
`July 22, 1996 10:00 AM ET
`TE 3.0 applets will earn certification
`By_ Norvin Leach_ and_ Michael Moeller_
`
`In preparation for the 1nid~_.A .. ugust launch of Internet Explorer 3.0~ :r-.tlicrosoft
`Corp. next V\,.eek vvil1 announce tools and services that let vendors digitally
`sign A.cLiveX, Java and l~etscape Connnunications Corp. plug-in cornponenLs.
`
`As a result, users oflnternet Explorer 3.0 will be able to identify the
`creator of an Internet-based applet before downloading it.
`
`Jerry Seinfeld
`Jerry Seinfeld concert
`tickets Close to Stage
`;:;bs~2sbtJe.;:;om
`
`JerrJI S"inleld Tickets
`Jerry Seinfeld Tickets.
`Where Fans Buy & Sell
`Tickets.
`
`But for some IS managers) this approach misses the point of Internet security
`by a long shot. 1Vfany say they are less interested in knowing vvho built a
`component than tn providing seamlt:~s prote(.jtiun fur user~-~ as the Java
`"sandbox" modei does.
`
`Take the Sei~feld Quiz
`Think you know all about
`Seinfeld? Take the quiz &
`see if you can win
`Tdvir;'J,St';l((';r;,an;d1, C(!n1
`
`The Microsoft model, designed to provide users with the same level of
`security found in shrink-wrapped software, is based primarily on a level of
`ttust and 1narket pressure to keep ISV s honest.
`
`To put the digital signature architecture in place, V'eriSign fnc. and, in the
`future, other certificate authorities wiii issue digital certificates to TSVs
`for a $20 fee. Several hundred ActiveX controls wiii be digitaiiy signed by
`the time Internet Explorer 3.0 ships, sources said.
`
`But such a certificate does not authenticate the specific applet--it only
`certifies that the vendor has pledged not to build any malicious code into its
`soft·vv·are. "If a user dovv·nloads a buggy piece of signed code_~ then he vvill
`n~ver go back to that vt:ndur again," ~aid Rub Pri(.j~, group product rrtanager fur
`
`Jerry S<!infeld
`Everything to do with
`Jerry Seinfeld items.
`Y:,hoo <;om
`
`Festivus Supplies
`Your One Stop Shop For
`Festivus F1nd Tees, Mugs
`& More Here!
`
`Internet security at Microsoft.
`
`Beyond the credibility aspect, the signature concept raises a broader issue
`for so1n e IS 1nanagers.
`
`BLUE COAT SYSTEMS - Exhibit 1033 Page 1
`
`

`
`FoRK Archive: Microsoft Authenticode analyzed
`
`Page 2 of2
`
`''Just the fact that they have to create this kind ofworkaround causes me
`concern," said Eric Goldreich, infomration manager with Sheppard, Mullin,
`Richter & Hampton, a Los Angeles law firm.
`
`Other lS 1nanagers are \Vorrled t..ha.t dlglta! signatures 1nay add co1np!exlty to
`an already complicated n1cthod of trying to rnanagc vvho downloads vvhat from the
`[ntenlet.
`
`Internet Explorer 3.0 will modity a user's system tiles to detect digital
`certiticates as components are downloaded. Once found, a dialog box will
`appear, stating where the component came from and asking if users want to
`continue downloading the co1nponent.
`
`Systenl administrations will be able to restrict users fronl downloading any
`components, and users will be able to list "trusted" cmnpan1es that can load
`components onto their ciient machine without confirmation.
`
`Security "should be something the end user isn't aware of." said Erik
`Goldotl computer specialist for the Centers for Disease Control, in Atlanta
`''End users don't even understand Internet busy signals today.''
`
`The issue of con1ponent security has not been widely discussed because the
`technoiogy is oniy beginning to mature; Internet Expiorer 3.0 is the first
`browser to apply the digital signature approach.
`
`Two Microsoft competitors, Netscape and Sun Microsystems Tnc are adding
`digital signature schetnes as a tneans of extending the functionality of
`soft;,vare and c01nponents found on the Internet. How·ever, officials at both
`companies believe digital signatures alone perpetuate a flawed nlodel found in
`shrink-wrapped software.
`
`"Digital signatures are just a pa1t of the answer, not the whole solution,"
`said Jeft'Treuhaft, director of security at Netscape, of Mountain View, Calif.
`"Besides, you need to sign the code, not the vendor."
`
`• Next 1nessage: Rohit .Khar~: 1'L;..ndreesen 1noving sloooo\vly to objects 1
`• Previous message: Rohit Khare: !!Tirrt 1S comments on \V3C. appear in PC~Ieek!!
`
`'
`
`BLUE COAT SYSTEMS - Exhibit 1033 Page 2