[162] in WWW Security List Archive
Re: what are realistic threats?
daemon@ATHENA.MIT.EDU (John Larson)
Fri Sep 30 02:47:07 1994
Date: Thu, 29 Sep 1994 17:36:11 -0700
To: Larry Masinter <masinter@parc.xerox.com>
From: John Larson <jlarson@jnl.com>
Cc: www-security@ns1.rutgers.edu, hallam@dxal18.cern.ch
Reply-To: John Larson <jlarson@jnl.com>
>But what are they signing? Are they attesting that the software
>contains no trojan horses?
Larry,
In my opinion, there is value in a package creator providing a signature
for a package, in that this (eventually) could limit the scope of the
trojan horse insertion problem to the package creator's site. (Assuming the
package creator's will eventually take the trouble to check signatures on
upstream dependency packages, and the upstream package creators will
distribute signatures also eventually)
As it is, a trojan horse could be slipped into many commonly used Internet
packages at any of the numerous ftp sites around the internet. I've seen
some ftp sites with world-writeable permissions on some Internet packages.
John
