Re: your mail

Adam Shostack (
Mon, 16 May 94 19:21:01 EDT

| If FTP clients had automatical checksum checker that could compare with the
| FTP server, people would be able to easily test if the checksums have been
| messed with or not.  The intruder would need to modify all the copies kept
| on archie, etc.  By having this checksum ability, this will stop breaches or
| trojans that get entered into the public AFTER the author has released his
| program.  This will not stop breaches or trojans that get implemented into
| the author's own version and then gets distributed.  Atleast then, we would
| know where the trojan was 1st introduced.

	A better solution might be to localize the checksumming.
Encourage people to PGP sign the compressed archives of their software
before distributing it.  PGP 2.5 is legal for use in the US, and seems
to interact well with 2.3, which is legal everywhere else.

	Then the problem becomes one of key distribution, which is
being slowly addressed.  I expect webs of trust would spring up
relatively quickly, at least at larger sites.


Adam Shostack 	

Politics.  From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.