The Realm of Code Signing

I gave up on commenting at Slashdot articles a few years ago, so if I have something to say, it might as well be here. It's not the karma I worry about (I've always been positive) so much as the fact that there is a huge signal to noise ratio, and I read it about a day behind when most of the comments/moderation has already precipated out and anything I might post quite possibly won't be read. Also, this post got to be an extremely long essay of sorts.

This latest Ask Slashdot was full of a lot of well-moderated dreck. I mention it because it falls within one of my weird "areas of fascination™", and although I can't make any claim as to being an expert, I think I have a hell more an idea of the intricacies than the average slashdotter. I've done a lot of work in security, authentication, and privacy studies. The three together compromise one of the biggest, ugliest, and most complex systems we deal with unconciously in our lives. Most people treat this topic like some form of black magic... you "have it" or you "don't", and often only blood sacrifices might change that, in the minds of most.

So, someone on Slashdot asked a bunch of nerds whether or not "code signing" (using a digital signature on program code) was "worth it", citing the opinions of an expert in Cryptography (the applied mathematical facet of the whole Security-Authentication-Privacy megasystem).

First, signatures are the major component of the Authentication world. (The lesser counterpart to signatures being vouchers, which is where OpenID gets its strength as an Authentication system. OpenID is my recommended standard (of the ones I've seen) for basic website authentication, and I'm hoping ...