A simple signed bundle/directory trust scheme for the XS

Michael Stone michael at laptop.org
Mon Aug 11 10:24:54 EDT 2008


Martin,

Thanks for your note. Unfortunately, it left me with more questions than
with answers. Some questions include:

  * What use cases are you trying to support?
  
  * What threats obstruct supporting those use cases?
  
  * What trust structure are you trying to create and how does it
    mitigate the threats while permitting the use cases?
  
  * What algorithms are you going to use and why? 
  
  * What security properties are you trying to check?

(Perhaps you've already answered some of these basic questions elsewhere
and you simply left out the citation?)

Two other comments:

If you want to go the route of 'signed content lives in directories',
then please examine the programs in olpc-contents
   
   http://wiki.laptop.org/go/Olpc-contents

and let us know in what way they can be improved before writing your
own.

If you're more interested 'signed content lives in archives', then
JAR-signing might be for you!

Regards,

Michael

P.S. - In the future, please consider CC'ing the security@ list when you
write security-related mail. Interesting people live there.



More information about the Devel mailing list