1996-07-15 - Re: Reasonable validation of a software package

Header Data

From: frantz@netcom.com (Bill Frantz)
To: Michael Froomkin <lyalc@ozemail.com.au>
Message Hash: 0467700c7de1efa3ac00ab59c1c2faf15572644a36349e55f208c23f210991c5
Message ID: <199607150634.XAA04547@netcom8.netcom.com>
Reply To: N/A
UTC Datetime: 1996-07-15 10:15:25 UTC
Raw Date: Mon, 15 Jul 1996 18:15:25 +0800

Raw message

From: frantz@netcom.com (Bill Frantz)
Date: Mon, 15 Jul 1996 18:15:25 +0800
To: Michael Froomkin <lyalc@ozemail.com.au>
Subject: Re: Reasonable validation of a software package
Message-ID: <199607150634.XAA04547@netcom8.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


I expect this problem can usually be handled without formal CAs.  If you
publish your PGP key fingerprint in your advertising and make the key
available on your web page, then your users have a way of independently
verifying your key.  As the finger print appears in more and more places
(letterhead, product packaging, etc.), it is less and less likely that your
attacker can reach them all to modify them.

The important thing is diverse paths.  If you include your key in the
package with the product and print the fingerprint on the outside, it
becomes relatively easier for your attacker to replace the whole thing as
part of an attack.


At 11:33 AM 7/13/96 -0400, Michael Froomkin wrote:
>This illustrates the need for and role of certification authorities.
>
>See http://www.law.miami.edu/~froomkin/articles/trusted.htm  for some
>info.
>
>On Sat, 13 Jul 1996, Lyal Collins wrote:
>
>> This touches upon a favourite rant of mine.
>[...]
>> So, now you need to ensure that you can get your public key 
>> (to verify the digital signature with) in the hands of all 
>> your possible, or intended, recipients. 
>> 
>> Now the race is on for as many people as possible to generate 
>> PGP public keys/certificates bearing your name, or variations 
>> of it. Once that occurs, there is a fair chance that one of 
>> these keys will verfiy the digital signature on a piece of
>> software purportedly from you. Still, not many people will have 
>> your true PGP public key/certificate, but, them's the breaks.

-------------------------------------------------------------------------
Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA







Thread