[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reasonable validation of a software package



This touches upon a favourite rant of mine.

Anonymous User wrote:
> 
> Fellow cpunks:
> 
> I am working on various software packages for UNIX and
> Windows and since this is commercial work and prior NDA's
> are involved, I can't include the source code for
> absolute validation.
> 
> What would assure one that a package has not been tampered
> with from the company to the user?

If someone had your public key, and a trusted software module 
with which to use it, you could use a "Digital Signature".
PGP offers such data integrity and signing functions.
You also indicate you have PGP - even better.

So, now you are left with ensuuring people have your public key,
and the recipient having a trusted software tool.
Again, PGP is relatively well accepted in this regard.
Trusted - depends on the source of the recipient's
copy.

So, now you need to ensure that you can get your public key 
(to verify the digital signature with) in the hands of all 
your possible, or intended, recipients. 

Now the race is on for as many people as possible to generate 
PGP public keys/certificates bearing your name, or variations 
of it. Once that occurs, there is a fair chance that one of 
these keys will verfiy the digital signature on a piece of
software purportedly from you. Still, not many people will have 
your true PGP public key/certificate, but, them's the breaks.


> 
> (Currently, I am using PKZIP's rather anemic AV protection,
> as well as signing the archive with my PGP key.  I am
> wondering if there are any other steps I need to take to
> assure that a package came from me, and wasn'tSee above - easy or difficult - how much assurance do you want ?

> damaged/altered/tampered with in transit.)See above - easy or difficult - how much assurance do you want ?

> 
> Thanks in advance.

lyal

-- 
All mistakes in this message belong to me - you should not use them!