trusted sources

Robert Robbins (rrobbins@gdb.org)
Mon, 3 Apr 1995 08:31:59 +0500


In a discussion about security issues associated with executing code or
binaries obtained over the net,

On Mon, 3 Apr 1995, Dan Connolly wrote:

> The right answer is digitally signed distributions. Then only can
> you be certain that the bits have not changed since they left
> the author's hands.

Doesn't this suggest some utility in extending the URN/URL concept to
include an optional computed checksum as part of the identifier? Verifying
perfect identity of what you are getting against what you thought you were
requesting has some value for materials other than programs, too.

The checksum could be recomputed dynamically every time the file is
transferred (as checksums are now computed dynamically every time an IP
packet is placed on or taken from a communication medium).