| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: batsy at vapour.net (batz) Subject: Cryptome Hacked! On Wed, 26 Feb 2003, Sung J. Choe wrote: :> Third, the best method of ensuring the integrity of software right now :> is signed crypographic checksums from someone you trust. :What would you use to generate that checksum? Can you trust the software :used to generate the checksum? How can you trust that software? Please :do not give some simple-minded answer like "cryptographic checksums" since :that does not answer my specific question. : You cannot trust software. You can only trust processes, people and institutions. So, I will reiterate my original answer which is that you can trust cryptographic checksums *from someone you trust*, or more accurately, ones which have been generated using a process you trust. If you want to know how to evaluate how much trust you should have in a process, then maybe the Common Criteria, BS7799, the TCSec rainbow books, should help. Better yet, have a plan B for dealing with the possibility that your trust may be unfounded. -- batz
Powered by blists - more mailing lists