On Wed, 26 Feb 2003, Sung J. Choe wrote: :> Third, the best method of ensuring the integrity of software right now :> is signed crypographic checksums from someone you trust. :What would you use to generate that checksum? Can you trust the software :used to generate the checksum? How can you trust that software? Please :do not give some simple-minded answer like "cryptographic checksums" since :that does not answer my specific question. :
You cannot trust software. You can only trust processes, people and institutions. So, I will reiterate my original answer which is that you can trust cryptographic checksums *from someone you trust*, or more accurately, ones which have been generated using a process you trust. If you want to know how to evaluate how much trust you should have in a process, then maybe the Common Criteria, BS7799, the TCSec rainbow books, should help. Better yet, have a plan B for dealing with the possibility that your trust may be unfounded. -- batz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
