Challenge to TCPA/Palladium detractors
Sam Simpson
simpson at samsimpson.com
Fri Aug 9 09:16:17 PDT 2002
I'm not surprised that most people couldn't produce a matching PGP
executbales - most compilers (irrespective of compiler optimisation
options etc) include a timestamp in the executable.
Regards,
Sam Simpson
sam at samsimpson.com
http://www.samsimpson.com/
Mob: +44 (0) 7866 726060
Home Office: +44 (0) 1438 229390
Fax: +44 (0) 1438 726069
On Fri, 9 Aug 2002, Lucky Green wrote:
> Anonymous wrote:
> > Matt Crawford replied:
> > > Unless the application author can predict the exact output of the
> > > compilers, he can't issue a signature on the object code. The
> > > compilers then have to be inside the trusted base, checking a
> > > signature on the source code and reflecting it somehow through a
> > > signature they create for the object code.
> >
> > It's likely that only a limited number of compiler
> > configurations would be in common use, and signatures on the
> > executables produced by each of those could be provided.
> > Then all the app writer has to do is to tell people, get
> > compiler version so-and-so and compile with that, and your
> > object will match the hash my app looks for. DEI
>
> The above view may be overly optimistic. IIRC, nobody outside PGP was
> ever able to compile a PGP binary from source that matched the hash of
> the binaries built by PGP.
>
> --Lucky Green
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the Testlist
mailing list