1995-10-03 - Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape’sdependence upon RSA down for the count!)

Header Data

From: cman@communities.com (Douglas Barnes)
To: jsw@neon.netscape.com (Jeff Weinstein)
Message Hash: b1eac40be277935b77b60a5fa5b5bdfc39d426108719f3a5c1f7bac7687feea0
Message ID: <v02120d02ac969ce0cf99@[199.2.22.120]>
Reply To: N/A
UTC Datetime: 1995-10-03 07:00:30 UTC
Raw Date: Tue, 3 Oct 95 00:00:30 PDT

Raw message

From: cman@communities.com (Douglas Barnes)
Date: Tue, 3 Oct 95 00:00:30 PDT
To: jsw@neon.netscape.com (Jeff Weinstein)
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape'sdependence upon RSA down for the count!)
Message-ID: <v02120d02ac969ce0cf99@[199.2.22.120]>
MIME-Version: 1.0
Content-Type: text/plain



The idea here is to use multiple alternative channels for distributing
the checksums (newsgroups, mailing lists, telephone support lines,
fax-back service, e-mail, etc.), in addition to the ftp sites.

Also, since you guys use (relatively untrusted) mirror sites, you can
distribute the checksums on your official sites, so that people can
verify them from you directly, even if it's more practical for their
main download to be from a "local" mirror.

>
>  I've been thinking about this recently for obvious reasons.  My concern
>is that if someone can attack your download of netscape, they could also
>attack your download of the program that validates netscape.  Is there
>really any way out of this one?
>
>        --Jeff







Thread