[sword-devel] encryption and integrity checking.
Manfred Bergmann
bergmannmd at web.de
Wed Mar 11 05:45:06 MST 2009
Am 11.03.2009 um 12:29 schrieb DM Smith:
>
> On Mar 11, 2009, at 5:04 AM, Peter von Kaehne wrote:
>
>> One of the problems which has come up again and again when discussing
>> with publishers has been the worry that texts which are released to
>> CrossWire become an easy target for abuse - either commercial abuse
>> with
>> texts of some commercial importance or, more worrying to me at
>> least -
>> manipulation of texts by cults and other entities.
>>
>> What possible solutions could we offer to provide text encryption and
>> integrity checking in a plausible way which would not violate GPL and
>> goes beyond our current practice of simply incorporating a key into
>> the
>> conf files?
>>
>> This is a serious and important question. I am aware of several texts
>> which we did not get or where people hesitate because this is not
>> possible right now.
>
>
> I wonder if signing is heavier than necessary? Part of signing that
> is not widely appreciated is that unless a signature is validated by
> a signing authority, it does not mean much. That is generally,
> pretty costly. Perhaps a simple checksum kept in the conf would be
> sufficient?
Yes, I think it would be enough to make sure the module data came from
CrossWire when downloaded.
However the checksum is easier to manipulate than a signature.
Manfred
More information about the sword-devel
mailing list