1995-10-03 - Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape’s dependence upon RSA down for the count!)

Header Data

From: Laurent Demailly <dl@hplyot.obspm.fr>
To: jsw@neon.netscape.com (Jeff Weinstein)
Message Hash: 24ca94e4a6e1a9d971aaf519d9d2665ed6a84ea98ca6357ae5252093f2151a41
Message ID: <9510031719.AA12326@hplyot.obspm.fr>
Reply To: <9510030147.AA15570@dmsd.com>
UTC Datetime: 1995-10-03 17:20:40 UTC
Raw Date: Tue, 3 Oct 95 10:20:40 PDT

Raw message

From: Laurent Demailly <dl@hplyot.obspm.fr>
Date: Tue, 3 Oct 95 10:20:40 PDT
To: jsw@neon.netscape.com (Jeff Weinstein)
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape's dependence upon RSA down for the count!)
In-Reply-To: <9510030147.AA15570@dmsd.com>
Message-ID: <9510031719.AA12326@hplyot.obspm.fr>
MIME-Version: 1.0
Content-Type: text/plain


Jeff Weinstein writes:
 > In article <9510030248.AA08909@hplyot.obspm.fr>, dl@hplyot.obspm.fr (Laurent Demailly) writes:
 > > I asked monthes ago netscape folks to make md5sum and/or PGP digital
 > > signatures (preferably md5sum of each files, this in a file, itself
 > > pgp signed) of the binaries available on their page and on relevant
 > > newsgroup to reduce possibility of tempering.
[...]
 >   I've been thinking about this recently for obvious reasons.  My concern
 > is that if someone can attack your download of netscape, they could also
 > attack your download of the program that validates netscape.  Is there
 > really any way out of this one?
I have *already* downloaded, checked,... pgp years ago, and I did
multiplatforms cross tests,... so all I need is a pgp signed stuff
(obviously i need your (netscape's) pgp public key too, but I think
that a "massive" distribution, that is : mail on a couple of mailing
lists, your site, newsgroup, eventually adding fingerprint by phone
for the paranoid, would ensure that your key is indeed your key (it
can probably take few weeks before it's "sure" (you'll get feedback if
key have been tempered somehow)
Or easiest even manage that your key is signed by some well known folk
(PhilZ,...))

See my point ?

ps :imo the later your start, the harder it'll be to be "sure" of
something. (reputation of a key takes some weeks/monthes,...)

dl
--
Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|...  Freedom
Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept

$400 million in gold Legion of Doom mururoa assassination break Peking
Delta Force





Thread