Subject Re: [IB-Architect] Test Program
Author Geoff Worboys
> >Once IBPhoenix has a known PGP public-key/fingerprint it
<...>
> This is a very good idea. I really didn't have time to
> research it while polishing ibsecure and setting up the
> distribution system. I would really appreciate suggestions.

Most people can probably use the freeware version, but for commercial
use I think you are supposed to get it from NAI (usually via McAfee).
The freeware has everything you need for digitial signing and
encryption etc, the commercial version has an interface added and
integration with common email programs. I use the commercial version,
the interface just makes it a little simpler to get going.

I am not sure if the export restrictions still apply so strictly, but
to be safe...

USA and Canada goto: www.pgp.com and follow the links

Internationally goto: http://www.pgpinternational.com/

There are lots more sites about PGP, such search for "Pretty Good
Privacy" with your favourite search engine.

If you need examples of how to setup PGP signed distributions you can
look at many different open source projects. Try http://www.gnu.org/


For those that dont already know...

For PGP to work well you really need a community of people that can
verify each others keys reliably. The signing works on trust. For
example:

About the only person I have met personnally is Helen. For all I know
the rest of you may be Bug-Eyed monsters planning to take over the
world ;-) However if I receive something signed by someone who's PGP
key was signed by Helen, then I trust that Helen would not have signed
the key for a Bug-Eyed monster.

(If you want a better explanation I suggest downloading the
documentation available from the sites listed above.)

I suggest that it would be a good idea would be for the IB community
to obtain PGP and register their keys on one of PGP key-servers.
Those people that know each other personally can sign each others keys
establishing a "web of trust" for the community.


There are other alternatives to PGP. Perhaps you would all like to
signup to Microsofts security services? I like PGP because it is
open source and is constantly under review for weaknesses - no
backdoors in this software - and because it is widely used.


For the sake of argument there is yet another (possibly simpler)
alternative. Use MD5 (or whatever is the current fancy) to create
hash values from each distribution. Publish the known values on the
Firebird web site - working on the assumption that it is difficult for
a hacker to change the website file to reflect a corrupted version of
the distribution. (Of course you have to be sure people can get a
valid copy of the hash generator to check their files with.)

This is nowhere near as comprehensive as digital signing, but it has
been suggested in the past that I am paranoid, irrational or just
plain silly. So perhaps this option may be more attractive to the
trusting, rational and calm members of our community.


Geoff Worboys
Telesis Computing