From: cman@communities.com (Douglas Barnes)
Date: Tue, 3 Oct 95 00:00:30 PDT
To: jsw@neon.netscape.com (Jeff Weinstein)
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape'sdependence upon RSA down for the count!)
Message-ID: <v02120d02ac969ce0cf99@[199.2.22.120]>
MIME-Version: 1.0
Content-Type: text/plain



The idea here is to use multiple alternative channels for distributing
the checksums (newsgroups, mailing lists, telephone support lines,
fax-back service, e-mail, etc.), in addition to the ftp sites.

Also, since you guys use (relatively untrusted) mirror sites, you can
distribute the checksums on your official sites, so that people can
verify them from you directly, even if it's more practical for their
main download to be from a "local" mirror.

>
>  I've been thinking about this recently for obvious reasons.  My concern
>is that if someone can attack your download of netscape, they could also
>attack your download of the program that validates netscape.  Is there
>really any way out of this one?
>
>        --Jeff