> Date: Mon, 18 Nov 2002 08:51:05 -0800 > To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED]
> > You can, of course, revoke signatures with GPG without a problem > > and then sign the distributions with it (at least as a detached > > signature). > > > > The installer could offer to check that signature by calling GPG > > but this is highly insecure (as anyone who replaced the binary would > > forge the call). What you really want is for people to check the > > signature themselves (with GPG/PGP). > Yes thats excellent from a corporate perspective since the more areas > you leave for the l'users your customers to fuckup the less liability > you have. > > However in an open for the most part volunteer project such liability > and profit concerns do not arise so for that reason the developers can > afford to design systems to protect the l'user from their own > incompetence and are necessary if one cares to attempt to offer security > and anonymity rather than create opportunities to destroy it. Your complete lack of grammar and ability to express yourself coherently is somewhat distressing but I'll reply nonetheless. My comment had nothing to do with liability and in fact I do security consulting for individuals and businesses; I am not a lawyer, and do not care about liability issues in this type of arena. The problem that arises with digitally signed binaries is that the signature checking system _must not_ be distributed with the binaries to be checked and the signatures or signator keys _must_ be available out of band. If the binaries are signed and come with a detached signature, any user can double-click the signature file and receive a PGP/GPG message asking if they wish to check the signature. The installer can easily come with the instructions to check the signatures, as well as a short commentary on why this important for the security of their file store and the project as a whole. The binaries, however, must be assumed to be untrusted and untrustable for the sake of such a discussion and as such, only the method I described keeps the user from receiving a message such as 'signature checks out' when in fact the image they received was either tainted or damaged. Feel free to reply with a full discussion / reasoning behind your wanting to do things any differently for this (preferably technical) and I'll listen. There is no reason _not_ to distribute detached signatures for each of the installer and/or JAR images. Signed JAR files are also possible and checkable with IE or Mozilla for that matter. Please do some research ... -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ _______________________________________________ support mailing list [EMAIL PROTECTED] http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/support