On Oct 3, 6:19pm, Laurent Demailly wrote:
Subject: Re: Netscape finally issuing md5sums/pgp signed binaries ? (was R
In article <9510030248.AA08909@hplyot.obspm.fr>, dl@hplyot.obspm.fr (Laurent Demailly) writes:
I asked monthes ago netscape folks to make md5sum and/or PGP digital signatures (preferably md5sum of each files, this in a file, itself pgp signed) of the binaries available on their page and on relevant newsgroup to reduce possibility of tempering. [...] I've been thinking about this recently for obvious reasons. My concern is that if someone can attack your download of netscape, they could also attack your download of the program that validates netscape. Is there really any way out of this one? I have *already* downloaded, checked,... pgp years ago, and I did multiplatforms cross tests,... so all I need is a pgp signed stuff (obviously i need your (netscape's) pgp public key too, but I think
[ text/plain Encoded with "quoted-printable" ] : Jeff Weinstein writes: that a "massive" distribution, that is : mail on a couple of mailing lists, your site, newsgroup, eventually adding fingerprint by phone for the paranoid, would ensure that your key is indeed your key (it can probably take few weeks before it's "sure" (you'll get feedback if key have been tempered somehow) Or easiest even manage that your key is signed by some well known folk (PhilZ,...))
See my point ?
Yes, I get the idea about spewing the signed hashes everywhere. The problem I have is with the user of PGP. That will help cypherpunks, but does absolutely nothing for most of our millions of users, who have no idea what PGP is. Perhaps its enough to assume that if anyone is tampering with the distribution, some cypherpunk will stumble across it... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.