In message <[EMAIL PROTECTED]> "David F. Skoll" <[EMAIL PROTECTED]> was claimed to have wrote:
>Dave Warren wrote: > >> True, but you could make it realistic enough to fool most of the people, >> most of the time, especially with a readme.txt noting that the new >> versions are signed slightly differently. > >People who bother to download the .sig file in the first place probably >won't be fooled. And they won't believe an unsigned readme.txt file. The readme file wouldn't be unsigned, it would be signed by the new key since it's naturally impossible to sign anything with the old key once the old key has been lost. Anyone in a position to compromise the sourceforge distribution model could probably make it look good enough to fool the majority of people who would at best glance at the status and move on. It's human nature to assume when we're told "this is legit" by an authority to assume it's legit without investigating that authority. Sure, not everyone is fooled, but I'd put money down that you'd fool at least 50% of those who do bother to check the sig, and over 90% of those who don't even bother with the sig today even if they started looking at sigs. The only way a key can be completely trusted is if it's provided completely independently of the download infrastructure, hosted elsewhere entirely, requiring a compromise of two unique and unrelated systems. -- Dave Warren, [EMAIL PROTECTED] Office: (403) 775-1700 / (888) 300-3480 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
