[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Announcing Bellcore's Trusted Software Integrity (Betsi) System
[Not all observations are mine: some belong to Andrew Boardman]
Okay, I have a strong interest in this, because we want to be able to
distribute ICE through traditional "freeware" channels while minimizing
the threat of spoofing.
I expect much better from Bellcore.
>Betsi addresses a security concern of software distribution in the Internet.
>Currently, there is no way to know that software obtained by anonymous ftp
>has not been modified since it was posted.
Whoever wrote the blurb clearly wasn't aware of (or chose to ignore)
the already existing practice of individuals signing their own code.
Why channel everything through this one Betsi agent? If Betsi's key
is compromised, *ALL* of their customers lose.
> - provide accountability by linking the author of a program
> to a real person whose identity is verified off-line
This is unnecessary, and I would claim undesirable. A unique anonymous
ID is just as good as a "real" one -- since you're relying upon PGP
anyway, the mapping from signature to a known identity is one-to-one.
The only reason I can see to require this "real human" mapping is
to try to prosecute people for bugs in their code or some contamination
that seeps into their release.
That's not an aspect of the world I want to live in.
> - minimize effort on the part of the users
This, I'd love to see. How do you securely get a user who doesn't know
how to use PGP to verify the signature? I think most users out there
are not likely to learn to use PGP on their own: this is from too
many (3+) years of tech support at Carnegie Mellon -- hardly a
technological backwater. People want to use their application and not
worry about anything else. Make the damned computer work and let
me finish my paper and get out of here.
I guess my overall reaction to this Betsi thing is: why?
As far as I can see, this Betsi agent only sets up a single choke point
through which all software using Betsi can be compromised, for no
particular gain. The current method of individuals signing their
code with their well-known keys is far more secure and doesn't force
the handing over of identities to the Software Police.
--
L. Todd Masco | "Which part of 'shall not be infringed' didn't
[email protected] | you understand?"