Re: Distributing user-developed Linux software and licensing issues.
- From: Tim <ignored_mailbox@xxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 17:11:34 +1030
On Wed, 2006-01-18 at 15:10 -0800, Runesabre wrote:
> I'm not a security expert so I'm learning as I go.
> What I can't really understand is how a client-side
> application can be completely open source and secure
> at the same time without giving away its encryption
Look into PGP, for starters, it explains how the system works. The math
that makes almost uncrackable encryption is no secret, and it's the math
not the coding that does the real trick.
In a *nutshell*, you've got an expression which can't be solved by
looking at two of the three components (cracking), but all three
together confirm the code is correct (verification). No one party has
all three codes (public key, private key, and password).
In this case being open-source is more secure. Because people can check
that the encryption software only works to the right rules, has no
errors or exploits, etc.
> I can't afford for every customer to be
> issued a SecureId fob like I used in the workplace and
> any secret "key" transmitted over the 'net can simply
> be intercepted and used with full knowledge of how the
> key works since access to the source code is
*How* it works isn't important to be kept secret, only the information
that's passed back and forth needs to be kept secret.
Look at internet banking, the bank has a certificate to prove who they
are, you have an account set up by them, and use the secret information
they set up for you. That can be automated to generate the clients
secret information, and that information can be passed to them over a
secure connection without being compromised.
> My customers aren't locked to using their
> account from a specific machine.
This *can* be a problem with the way some people use certificates with
clients. My phone company did that, I had to download and install a
certificate, and only got to do it once. Tough luck if I had to change
> Do open source web servers include the full source to
> their encryption routines? What about SSL? Is the
> source to SSL open to the public?
Yes. Start looking at the Apache website documentation, and move on
from there. Also look at some open-source web browsers, and see how
they've done the client side of secure connections. That might give you
an understanding of the concepts, and possibly even code libraries that
you can use for your own purposes.
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
fedora-list mailing list
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Prev by Date: Re: 'GPL encumbrance problems' (jdow)
- Next by Date: Re: Private Mirror/Repository
- Previous by thread: Re: Distributing user-developed Linux software and licensing issues.
- Next by thread: Re: Distributing user-developed Linux software and licensing issues.