...
| Wiki Markup |
|---|
Signing code, however, has its own problems. According to Schneier \[[Schneier 2000|AA. Java References#SchneierBibliography#Schneier 00]\] |
First, users have no idea how to decide if a particular signer is trusted or not. Second, just because a component is signed doesn't mean that it is safe. Third, just because two components are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited. Fourth, "safe" is not an all-or-nothing thing; there are degrees of safety. And fifth, the fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attacker could delete or modify the signature during the attack, or simply reformat the drive where the signature is stored."
...
| Wiki Markup |
|---|
\[[Schneier 2000|AA. Java References#SchneierBibliography#Schneier 00]\] \[[McGraw 2000|AA. Java References#McGrawBibliography#McGraw 00]\] Appendix C: Sign Only Privileged Code \[[Dormann 2008|AA. Java References#DormannBibliography#Dormann 08]\] |
...
01. Runtime Environment (ENV) 01. Runtime Environment (ENV) ENV01-J. Place all privileged code in a single package and seal the package