Hi David,
Sorry to be rude, but your post just told me what I already know :), my lack of knowledge at security, but didn't help me a bit :( (not sure if the post was meant to be helpful). If you have spend the same amount of time writing *what* is wrong with my approch & why this should be avoided that would have helped me or anyone who might be tempeted to do what I am trying to do.
Thanks for your understanding,
Regards,
Usman.
From: "David Schwartz" <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: <openssl-users@openssl.org>
Subject: RE: EVP Envelope & PKI Confusion...
Date: Tue, 3 Apr 2007 21:08:55 -0700
MIME-Version: 1.0
X-Sender: "David Schwartz" <[EMAIL PROTECTED]>
Received: from mmx1.engelschall.com ([195.30.6.154]) by bay0-mc8-f10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 3 Apr 2007 21:11:05 -0700
Received: by mmx1.engelschall.com (Postfix)id B959B56423; Wed, 4 Apr 2007 06:10:07 +0200 (CEST)
Received: from master.openssl.org (master.openssl.org [195.30.6.166])by mmx1.engelschall.com (Postfix) with ESMTP id 19FED56417for <[EMAIL PROTECTED]>; Wed, 4 Apr 2007 06:10:06 +0200 (CEST)
Received: by master.openssl.org (Postfix)id 177311AC61C3; Wed, 4 Apr 2007 06:10:04 +0200 (CEST)
Received: by master.openssl.org (Postfix, from userid 29101)id 116131AC617A; Wed, 4 Apr 2007 06:10:04 +0200 (CEST)
Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.169])by master.openssl.org (Postfix) with ESMTP id F2EB31AC604Efor <openssl-users@openssl.org>; Wed, 4 Apr 2007 06:09:43 +0200 (CEST)
Received: from however by webmaster.com(MDaemon.PRO.v8.1.3.R)with ESMTP id md50001470879.msgfor <openssl-users@openssl.org>; Tue, 03 Apr 2007 22:09:15 -0700
>
> > Thanks for the reply Goetz, appreciated! I believe with signing
> > the license
> > information (correct me if I am wrong), I have to provide the actually
> > license info/data (in plain clear text) along with the data
> > generated during
> > the signing process. The problem with this approach is, that
> > providing the
> > license info in clear text I think will make it little more tempting &
> > almost all the softwares that I have used, don't supply license info in
> > clear text. Even though I agree the customer should know what is in the
> > license information thats why my software will display info about
> > it, after
> > reading the license data but how this license info is interpreted &
> > transformed from one form to another should be left to the
> > software vendor.
>
>I don't mean to be rude, and I really hope you don't take this the wrong
>way, but you simply don't have nearly enough knowledge to devise a security
>scheme that could be relied upon in any way, shape or form. If this matters
>to you, you need to find someone who does to help you or spend a few years
>learning how to do it right.
>
>I'm sorry, but that's just the truth.
>
>What you're trying to do is like building a bridge. There is no substitute
>for knowing how to do it *right* and knowing what can go wrong, and so on.
>
>I would strongly caution you that it is very easy to make something that
>seems secure but really is a disaster of one form or another. It's very easy
>to compromise the security of your own license but also very easy to
>compromise the security of other people's computers in the attempt to secure
>your own software thereon.
>
>DS
>
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>User Support Mailing List openssl-users@openssl.org
>Automated List Manager [EMAIL PROTECTED]
Don't just search. Find. MSN Search Check out the new MSN Search! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
