> On Saturday 30 November 2002 12:28, Fred Bowman wrote: > That's true but, if you're trojaning a package, you might as well create > a new keypair with the same name an address as the original, and many, > if not most, will not see the difference. It's just a speed bump. I thought debian-keyring was for that purpose. Of course, that package's integrity needs to be verified from external sources to prevent anyone from tampering with they keys it provides. That way just having a key with "right" info is not enough, the attacker needs to change the key(s) in the debian-keyring package as well. Considering that there are quite a number of installed copies already around, such a change would be noticed rather quickly. Your other points are perfectly valid; trojans especially are likely to become a troublesome aspect. (Just a personal opinion and hunch.) -- Mika Boström +358-40-525-7347 \-/ "The Hell is empty, Bostik@lut.fi www.lut.fi/~bostik X and all the devils Security freak, and proud of it. /-\ are here." -W.S.
Description: PGP signature