[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reasonable validation of a software package



I expect this problem can usually be handled without formal CAs.  If you
publish your PGP key fingerprint in your advertising and make the key
available on your web page, then your users have a way of independently
verifying your key.  As the finger print appears in more and more places
(letterhead, product packaging, etc.), it is less and less likely that your
attacker can reach them all to modify them.

The important thing is diverse paths.  If you include your key in the
package with the product and print the fingerprint on the outside, it
becomes relatively easier for your attacker to replace the whole thing as
part of an attack.


At 11:33 AM 7/13/96 -0400, Michael Froomkin wrote:
>This illustrates the need for and role of certification authorities.
>
>See http://www.law.miami.edu/~froomkin/articles/trusted.htm  for some
>info.
>
>On Sat, 13 Jul 1996, Lyal Collins wrote:
>
>> This touches upon a favourite rant of mine.
>[...]
>> So, now you need to ensure that you can get your public key 
>> (to verify the digital signature with) in the hands of all 
>> your possible, or intended, recipients. 
>> 
>> Now the race is on for as many people as possible to generate 
>> PGP public keys/certificates bearing your name, or variations 
>> of it. Once that occurs, there is a fair chance that one of 
>> these keys will verfiy the digital signature on a piece of
>> software purportedly from you. Still, not many people will have 
>> your true PGP public key/certificate, but, them's the breaks.

-------------------------------------------------------------------------
Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
[email protected] | worldwide conversation.    | Los Gatos, CA 95032, USA