In article <9510030248.AA08909@hplyot.obspm.fr>, dl@hplyot.obspm.fr (Laurent Demailly) writes:
I asked monthes ago netscape folks to make md5sum and/or PGP digital signatures (preferably md5sum of each files, this in a file, itself pgp signed) of the binaries available on their page and on relevant newsgroup to reduce possibility of tempering. [...] I've been thinking about this recently for obvious reasons. My concern is that if someone can attack your download of netscape, they could also attack your download of the program that validates netscape. Is there really any way out of this one? I have *already* downloaded, checked,... pgp years ago, and I did multiplatforms cross tests,... so all I need is a pgp signed stuff (obviously i need your (netscape's) pgp public key too, but I think
Jeff Weinstein writes: that a "massive" distribution, that is : mail on a couple of mailing lists, your site, newsgroup, eventually adding fingerprint by phone for the paranoid, would ensure that your key is indeed your key (it can probably take few weeks before it's "sure" (you'll get feedback if key have been tempered somehow) Or easiest even manage that your key is signed by some well known folk (PhilZ,...)) See my point ? ps :imo the later your start, the harder it'll be to be "sure" of something. (reputation of a key takes some weeks/monthes,...) dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept $400 million in gold Legion of Doom mururoa assassination break Peking Delta Force