Urgent. Excel automation error

[Tim Ferguson]

From your experience, could an installation program do the selfcert on
the target PC, so the whole singing thing was invisible to the
end-user, & did not require specific action from the end user (when he
installed your product on his PC)?

Not in my experience: and it would seem that this would somewhat defeat the
purpose of certification in the first place. Can you imagine MyDoom coming
with its own self-installing security certificate?

The whole point is to give the user an _active_ role in establishing the
bone fides of people who want to run code on his or her machine.

B Wishes


Tim F

 

[TC]

Not in my experience: and it would seem that this would somewhat defeat the
purpose of certification in the first place. Can you imagine MyDoom coming
with its own self-installing security certificate?

The whole point is to give the user an _active_ role in establishing the
bone fides of people who want to run code on his or her machine.

Yes, you have hit the nail on the head about how that approach would defeat
the purpose of certification. I thought of that before. But, they have gone
about some of these things in such a cack-handed way, that I wondered
whether it might be possible,. none-the-less!

You say the user must take an active role. Is that by entering something
onto the selfcert screen? What if the install program loaded selfcert, ran
it, & answered the dialog(s) using API calls?

Cheers,
TC

 

[Tim Ferguson]

You say the user must take an active role. Is that by entering something
onto the selfcert screen?

I meant that they have to install the certificate, either in Explorer or in
Internet Options. Actually on my system, the .cer file type is double-
clickable, so I dread to think what would happen with a call like

vProcess = Shell("d:\download\TrashThisSystem.cer")

About the only thing that makes this tolerable is that it wouldn't run
without certification in the first place. But then again, there are so many
users who will double-click on anything that isn't nailed down, that it is
all pretty academic anyway :-(


Remember, we are talking about Microsoft, whose attitude to security is a
bit like a prostitute's attitude toward her clients.

All the best


Tim F

 

[TC]

So, Tim, let me get this clear in my mind. Is this correct:
- install program copies selfcert.exe to user's PC;
- install program runs selfcert & enters any dialogs using win32 APIs etc;
- install program "runs" the resultant certificate file.

Yes? No?

Cheers,
TC

 

[Tim Ferguson]

So, Tim, let me get this clear in my mind. Is this correct:
- install program copies selfcert.exe to user's PC;

No: it's part of Office (in the optional bits) and it's only needed for the
developer anywy.

- install program runs selfcert & enters any dialogs using win32 APIs

No: it's a command prompt program. The developer works it to create a
certificate for him/ herself, and signs the code with the certificate, and
hands a copy of the certificate to the user.

etc; - install program "runs" the resultant certificate file.

This is the bit that I am suspicious about. Ideally, the user should use
his/ her own GUI to install it, but I guess it's possible for an install
program to do it silently and unknown. I just don't know.

Look: I am _not_ an expert in this. I have a system that seems to work for
me, but it's low volume and can be done by hand. I have tried to read the
MSKB articles but they rapidly start going over my head, because they are
aimed at corporate distributors.

<smiles weakly...>

All the best


Tim F

 

[Tim Ferguson]

Sorry about the very late follow-up, but I just stumbled across this
Webpage, that is readable and also has a number of references to
follow up:-

<http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=194>

and it seems to make a lot more sense than I did!

All the best


Tim F

 

[TC]

Sorry about the very late follow-up, but I just stumbled across this
Webpage, that is readable and also has a number of references to
follow up:-

<http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=194>

and it seems to make a lot more sense than I did!

All the best


Tim F

Yes, thanks for that, it looks very good. I've only just skimmed it so
far, but it does seem to clarify "who does what to whom", as it were.

For example, I thought that the *user* ran selfcert to generate the
certificate. Now I see that the *developer* runs selfcert to generate
the certificate, then signs his product with that certificate, then
distributes his product *and the certificate* to the end user. Then
the end user, with a degree in advanced mathematics & nuclear physics,
installs that certificate on his PC, and tells his PC to trust all
software that is signed with that certificate.

I have no idea whether the end-user steps could be automated, eg. by
an install program. And if they *could*, this would, of course,
destroy the utility of the whole idea, because then, any evil person
could automatically cause their software to be trusted on the target
PC!

Cheers,
TC

 

[Tim Ferguson]

(e-mail address removed) (TC) wrote in

I have no idea whether the end-user steps could be automated, eg. by
an install program. And if they *could*, this would, of course,
destroy the utility of the whole idea, because then, any evil person
could automatically cause their software to be trusted on the target
PC!

<cynical>This being Microsoft, I'm sure it's a user option somewhere...
</cynical>

All the best



Tim F