From: Lyal Collins <lyalc@ozemail.com.au>
To: Anonymous User <nobody@c2.org>
Message Hash: ff55e49aa8826ea1be2b5378c0cfd8bb1a1772ca1153ca285d62680130efd354
Message ID: <31E87985.6EF9@ozemail.com.au>
Reply To: <199607121405.HAA09514@infinity.c2.org>
UTC Datetime: 1996-07-13 16:36:03 UTC
Raw Date: Sun, 14 Jul 1996 00:36:03 +0800
From: Lyal Collins <lyalc@ozemail.com.au>
Date: Sun, 14 Jul 1996 00:36:03 +0800
To: Anonymous User <nobody@c2.org>
Subject: Re: Reasonable validation of a software package
In-Reply-To: <199607121405.HAA09514@infinity.c2.org>
Message-ID: <31E87985.6EF9@ozemail.com.au>
MIME-Version: 1.0
Content-Type: text/plain
This touches upon a favourite rant of mine.
Anonymous User wrote:
>
> Fellow cpunks:
>
> I am working on various software packages for UNIX and
> Windows and since this is commercial work and prior NDA's
> are involved, I can't include the source code for
> absolute validation.
>
> What would assure one that a package has not been tampered
> with from the company to the user?
If someone had your public key, and a trusted software module
with which to use it, you could use a "Digital Signature".
PGP offers such data integrity and signing functions.
You also indicate you have PGP - even better.
So, now you are left with ensuuring people have your public key,
and the recipient having a trusted software tool.
Again, PGP is relatively well accepted in this regard.
Trusted - depends on the source of the recipient's
copy.
So, now you need to ensure that you can get your public key
(to verify the digital signature with) in the hands of all
your possible, or intended, recipients.
Now the race is on for as many people as possible to generate
PGP public keys/certificates bearing your name, or variations
of it. Once that occurs, there is a fair chance that one of
these keys will verfiy the digital signature on a piece of
software purportedly from you. Still, not many people will have
your true PGP public key/certificate, but, them's the breaks.
>
> (Currently, I am using PKZIP's rather anemic AV protection,
> as well as signing the archive with my PGP key. I am
> wondering if there are any other steps I need to take to
> assure that a package came from me, and wasn'tSee above - easy or difficult - how much assurance do you want ?
> damaged/altered/tampered with in transit.)See above - easy or difficult - how much assurance do you want ?
>
> Thanks in advance.
lyal
--
All mistakes in this message belong to me - you should not use them!
Return to July 1996
Return to “Michael Froomkin <froomkin@law.miami.edu>”