Announcing Bellcore's Trusted Software Integrity (Betsi) System

L. Todd Masco cactus at bb.com
Mon Aug 29 13:52:32 PDT 1994


[Not all observations are mine: some belong to Andrew Boardman]

Okay, I have a strong interest in this, because we want to be able to
 distribute ICE through traditional "freeware" channels while minimizing
 the threat of spoofing.

I expect much better from Bellcore.

>Betsi addresses a security concern of software distribution in the Internet.
>Currently, there is no way to know that software obtained by anonymous ftp
>has not been modified since it was posted.

Whoever wrote the blurb clearly wasn't aware of (or chose to ignore)
 the already existing practice of individuals signing their own code.

Why channel everything through this one Betsi agent?  If Betsi's key
 is compromised, *ALL* of their customers lose.

>   -  provide accountability by linking the author of a program
>      to a real person whose identity is verified off-line 

This is unnecessary, and I would claim undesirable.  A unique anonymous
 ID is just as good as a "real" one -- since you're relying upon PGP
 anyway, the mapping from signature to a known identity is one-to-one.

The only reason I can see to require this "real human" mapping is
 to try to prosecute people for bugs in their code or some contamination
 that seeps into their release.

That's not an aspect of the world I want to live in.

>   -  minimize effort on the part of the users

This, I'd love to see.  How do you securely get a user who doesn't know
 how to use PGP to verify the signature?  I think most users out there
 are not likely to learn to use PGP on their own: this is from too
 many (3+) years of tech support at Carnegie Mellon -- hardly a
 technological backwater.  People want to use their application and not
 worry about anything else.  Make the damned computer work and let
 me finish my paper and get out of here.

I guess my overall reaction to this Betsi thing is: why?

As far as I can see, this Betsi agent only sets up a single choke point
 through which all software using Betsi can be compromised, for no
 particular gain.  The current method of individuals signing their
 code with their well-known keys is far more secure and doesn't force
 the handing over of identities to the Software Police.
-- 
L. Todd Masco  | "Which part of 'shall not be infringed' didn't
cactus at bb.com  |   you understand?"






More information about the cypherpunks-legacy mailing list