1995-10-04 - Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape’s dependence upon RSA down for the count!)

Header Data

From: Jiri Baum <jirib@sweeney.cs.monash.edu.au>
To: jsw@netscape.com (Jeff Weinstein)
Message Hash: 22297162bd994c96cba3024a28261405d1f043b263481b22a6f8f265cfc288c0
Message ID: <199510040218.MAA04820@sweeney.cs.monash.edu.au>
Reply To: <9510031403.ZM151@tofuhut>
UTC Datetime: 1995-10-04 02:20:58 UTC
Raw Date: Tue, 3 Oct 95 19:20:58 PDT

Raw message

From: Jiri Baum <jirib@sweeney.cs.monash.edu.au>
Date: Tue, 3 Oct 95 19:20:58 PDT
To: jsw@netscape.com (Jeff Weinstein)
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape's dependence upon RSA down for the count!)
In-Reply-To: <9510031403.ZM151@tofuhut>
Message-ID: <199510040218.MAA04820@sweeney.cs.monash.edu.au>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Hello "Jeff Weinstein" <jsw@netscape.com>
  and Laurent Demailly <dl@hplyot.obspm.fr>,
  and jsw@neon.netscape.com (Jeff Weinstein)
  and cypherpunks@toad.com

"Jeff Weinstein" <jsw@netscape.com> writes:

> On Oct 3,  6:19pm, Laurent Demailly wrote:
> > Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was R
...
> 
>   Yes, I get the idea about spewing the signed hashes everywhere.  The
> problem I have is with the user of PGP.  That will help cypherpunks,
> but does absolutely nothing for most of our millions of users, who
> have no idea what PGP is.

Provided they know at least one person who does, they might well ask
that person to come and verify it for them.

Then again the tampered-with version might not mention PGP-signatures
at all (unless you use it widely in your publicity).

> Perhaps its enough to assume that if anyone
> is tampering with the distribution, some cypherpunk will stumble across
> it...

You wouldn't want that to be your only argument, but it helps...

If you mention all over the place that the program is PGP-signed
to foil {cr,h}ackers and viruses (*), chances are a lot of people will
ask their one colleague or friend that does know PGP to verify it for them.

Footnotes:
  (*) well, gotta use the four horse{wo,}men, no?

Jiri
- --
If you want an answer, please mail to <jirib@cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMHHu7CxV6mvvBgf5AQHTaAP/W2RKNFiGFc4WjE4saoAls8/Q3N+zlkqm
sDOCga9t9ElSY+jf0XQR/MLxMnuJ4n2H1gbzxnK+ELAbubzRBjNfK+I66IsN89nd
FYEwtnGMSgmmPtO2Y8X0KaFwkdRS8XUVgvnyYVrrhz/6dh3VvcLy5imLBK0fbIrA
r2+u9FL6fuQ=
=2WVg
-----END PGP SIGNATURE-----




Thread