[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape's dependence upon RSA down for the count!)



Jeff Weinstein writes:
 > In article <[email protected]>, [email protected] (Laurent Demailly) writes:
 > > I asked monthes ago netscape folks to make md5sum and/or PGP digital
 > > signatures (preferably md5sum of each files, this in a file, itself
 > > pgp signed) of the binaries available on their page and on relevant
 > > newsgroup to reduce possibility of tempering.
[...]
 >   I've been thinking about this recently for obvious reasons.  My concern
 > is that if someone can attack your download of netscape, they could also
 > attack your download of the program that validates netscape.  Is there
 > really any way out of this one?
I have *already* downloaded, checked,... pgp years ago, and I did
multiplatforms cross tests,... so all I need is a pgp signed stuff
(obviously i need your (netscape's) pgp public key too, but I think
that a "massive" distribution, that is : mail on a couple of mailing
lists, your site, newsgroup, eventually adding fingerprint by phone
for the paranoid, would ensure that your key is indeed your key (it
can probably take few weeks before it's "sure" (you'll get feedback if
key have been tempered somehow)
Or easiest even manage that your key is signed by some well known folk
(PhilZ,...))

See my point ?

ps :imo the later your start, the harder it'll be to be "sure" of
something. (reputation of a key takes some weeks/monthes,...)

dl
--
Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|...  Freedom
Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept

$400 million in gold Legion of Doom mururoa assassination break Peking
Delta Force