Carlos, On Friday 06 April 2007 12:25, Carlos E. R. wrote:
The Friday 2007-04-06 at 11:59 -0700, Randall R Schulz wrote:
That's what cryptographic identity certificates are for. One would hope that if BitTorrent is going to be widely used to distribute critical resources such as software it would be endowed with the ability to propagate and verify these signatures.
Or does BitTorrent already incorporate certificate validation?
Tell me, when I download opensuse, using http, for instance, do I get such cryptographic certificates? I believe not. Not even if download from the novell site.
That's the point. It seems like something that needs to be incorporated into file distribution software in order to secure our on-line software distribution networks.
However, you can publish the torrent initial link in a secure webserver (https), which means that you get the download site links and checksums from a certified source. The ensuing torrent download is thus certified.
So the answer is that security virtually identical to what could be achieved by directly incorporating certificate support into BitTorrent itself can be achieved with existing mechanisms. That's good.
To duplicate that feat with http you require all mirror servers to use https. And FTP? No way.
Don't get me wrong: I'm not suggesting there's anything in any way superior to BitTorrent, at least for popular downloads (below a certain threshold of demand, BitTorrent is slower 'cause there aren't enough copies to satisfy retrieval requests in a timely manner and direct retrieval is preferable for the end user). I was merely addressing the point that running someone else's software is an act of trust. Such trust must be based on true identities and not something forgeable.
-- Cheers, Carlos E. R.
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org