Date: Wed, 19 Feb 1997 17:12:43 -0500 From: Edward Felten Subject: Myths about digital signatures There has been a lot of public discussion lately about digital signatures on mobile code. Several myths permeate this discussion. I'd like to puncture three of them. * Myth 1: Digital signatures let you know who wrote a program, or where it came from. Reality: Anybody can remove the author's signature or add their own signature. At best, a signature tells you that the signer endorsed the program recently. Endorsement is more useful than authorship anyway; most people care more about whether their corporate MIS department has endorsed a program than about who wrote the program. * Myth 2: If X has signed a program, and I trust X, then it is safe for me to download the program. Reality: There have been plenty of incidents of reputable and well-meaning organizations spreading viruses or serving as the base for security attacks. Before accepting a download from X, it's not enough to ask "Do I trust X?" One must also ask questions like "How carefully has X managed his cryptographic keys?" and "What is the probability that X's security has been penetrated?" * Myth 3: Digital signatures provide accountability; if a program signed by X is malicious, the victim can sue X. Reality: Suppose I accept a download signed by X. A few seconds later there is some mysterious network traffic and then my disk gets wiped clean. X could be the culprit. Or X could be innocent --- that code I downloaded from Y three days ago could have waited a while before detonating. Or somebody could have exploited a bug somewhere else in my system. I have *no evidence* to distinguish these cases --- all the evidence disappeared when my disk was erased. (We can assume the attacker is smart enough to remove the hostile code from his site immediately after the attack.) If the attacker doesn't erase my disk, I can't trust the apparent evidence anyway. After all, the attacker had free run of my system and could have planted whatever "evidence" he liked. The evidence, whether real or not, will collapse in the first cross-examination. Signatures can provide accountability, but only with much more rigorous logging and auditing than today's consumer software provides.