From: patrick@Verity.COM (Patrick Horgan)
Date: Tue, 3 Oct 95 10:00:06 PDT
To: jsw@neon.netscape.com
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape's dependence upon RSA down for the count!)
Message-ID: <9510031656.AA00760@cantina.verity.com>
MIME-Version: 1.0
Content-Type: text/plain


> 
>   I've been thinking about this recently for obvious reasons.  My concern
> is that if someone can attack your download of netscape, they could also
> attack your download of the program that validates netscape.  Is there
> really any way out of this one?
> 
> 	--Jeff

I remember sometime in the last couple of years seeing a cert advisory that
said that people's checksumming programs were being replaced by ones that
did the normal checksumming except on compromised programs.  This was part
of one particular attack as I remember.

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Verity's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Verity Inc.                 \\    Have       |
 |  patrick@verity.com        1550 Plymouth Street         \\  _ Sword     | 
 |  Phone : (415)960-7600     Mountain View                 \\/    Will    | 
 |  FAX   : (415)960-7750     California 94303             _/\\     Travel | 
  \___________________________________________________________\)__________/