1995-10-03 - Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape’s dependence upon RSA down for the count!)

Header Data

From: “Jeff Weinstein” <jsw@netscape.com>
To: Laurent Demailly <jsw@neon.netscape.com (Jeff Weinstein)
Message Hash: f3add901a53ff575afd863e5a21177824d4d19aab1c4d322372e0cb575018f07
Message ID: <9510031403.ZM151@tofuhut>
Reply To: <9510030147.AA15570@dmsd.com>
UTC Datetime: 1995-10-03 21:07:15 UTC
Raw Date: Tue, 3 Oct 95 14:07:15 PDT

Raw message

From: "Jeff Weinstein" <jsw@netscape.com>
Date: Tue, 3 Oct 95 14:07:15 PDT
To: Laurent Demailly <jsw@neon.netscape.com (Jeff Weinstein)
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape's dependence upon RSA down for the count!)
In-Reply-To: <9510030147.AA15570@dmsd.com>
Message-ID: <9510031403.ZM151@tofuhut>
MIME-Version: 1.0
Content-Type: text/plain


On Oct 3,  6:19pm, Laurent Demailly wrote:
> Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was R
> 
> [ text/plain
>   Encoded with "quoted-printable" ] :
Jeff Weinstein writes:
>  > In article <9510030248.AA08909@hplyot.obspm.fr>, dl@hplyot.obspm.fr 
(Laurent Demailly) writes:
>  > > I asked monthes ago netscape folks to make md5sum and/or PGP digital
>  > > signatures (preferably md5sum of each files, this in a file, itself
>  > > pgp signed) of the binaries available on their page and on relevant 
>  > > newsgroup to reduce possibility of tempering.
> [...]
>  >   I've been thinking about this recently for obvious reasons.  My concern
>  > is that if someone can attack your download of netscape, they could also
>  > attack your download of the program that validates netscape.  Is there
>  > really any way out of this one?
> I have *already* downloaded, checked,... pgp years ago, and I did
> multiplatforms cross tests,... so all I need is a pgp signed stuff
> (obviously i need your (netscape's) pgp public key too, but I think
> that a "massive" distribution, that is : mail on a couple of mailing
> lists, your site, newsgroup, eventually adding fingerprint by phone
> for the paranoid, would ensure that your key is indeed your key (it
> can probably take few weeks before it's "sure" (you'll get feedback if
> key have been tempered somehow) 
> Or easiest even manage that your key is signed by some well known folk
> (PhilZ,...))
> 
> See my point ?

  Yes, I get the idea about spewing the signed hashes everywhere.  The
problem I have is with the user of PGP.  That will help cypherpunks,
but does absolutely nothing for most of our millions of users, who
have no idea what PGP is.  Perhaps its enough to assume that if anyone
is tampering with the distribution, some cypherpunk will stumble across
it...

	--Jeff


-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.





Thread