Mailscanner Update

Julian Field mailscanner at ecs.soton.ac.uk
Tue Mar 9 12:14:49 GMT 2004


At 12:05 09/03/2004, you wrote:
>I only ever verify archives against a signature acquired through another
>route. If someone takes the trouble to spike the archive, then I'm sure
>they will take the trouble to create a new signature for it. Having them
>both on the same web page offers very little real security.

That is true for MD5 signatures, which is why I don't use them.

However, it is not true for a PGP signature, as they would need access to
my private key and passphrase in order to generate the PGP signature. You
obviously need to check the PGP signature against my public key, that's why
I show the location of my public key on the page.

>A more secure way of signing binaries would be to use an SSL certificate
>from a globally trusted root CA, but I can understand that the cost
>would be prohibitive for most open source projects and this method still
>leaves the CA vulnerable to social engineering attacks (remember the
>unauthorised Microsoft certs a while ago?).

Don't need an SSL cert, I'm using PGP and so they need my private key and
passphrase to forge a key from me.

>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Peter Bonivart
>Posted At: 08 March 2004 23:40
>Posted To: MailScanner
>Conversation: Mailscanner Update
>Subject: Re: Mailscanner Update
>
>
>Kevin Miller wrote:
> > So, um, OK, let's say someone (strictly hypothetically speaking of
> > course - at least that's my story and I'm sticking to it <g>) didn't
> > know what the two little commmands are exactly but want to better
> > themselves.  What would they run?
>
>What you need to do is:
>
># gpg --verify MailScanner-4.28.6-1.tar.gz.sig
>
>But before that there's some small things to take care of, they are
>nicely described here:
>
>http://www.mandrakesecure.net/en/docs/gpg.php
>
>--
>/Peter Bonivart
>
>--Unix lovers do it in the Sun
>
>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
>SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list