[sword-devel] encryption and integrity checking.

Manfred Bergmann bergmannmd at web.de
Wed Mar 11 05:45:06 MST 2009

Am 11.03.2009 um 12:29 schrieb DM Smith:

> On Mar 11, 2009, at 5:04 AM, Peter von Kaehne wrote:
>> One of the problems which has come up again and again when discussing
>> with publishers has been the worry that texts which are released to
>> CrossWire become an easy target for abuse - either commercial abuse  
>> with
>> texts of some commercial importance or, more worrying to me at  
>> least -
>> manipulation of texts by cults and other entities.
>> What possible solutions could we offer to provide text encryption and
>> integrity checking in a plausible way which would not violate GPL and
>> goes beyond our current practice of simply incorporating a key into  
>> the
>> conf files?
>> This is a serious and important question. I am aware of several texts
>> which we did not get or where people hesitate because this is not
>> possible right now.
> I wonder if signing is heavier than necessary? Part of signing that  
> is not widely appreciated is that unless a signature is validated by  
> a signing authority, it does not mean much. That is generally,  
> pretty costly. Perhaps a simple checksum kept in the conf would be  
> sufficient?

Yes, I think it would be enough to make sure the module data came from  
CrossWire when downloaded.
However the checksum is easier to manipulate than a signature.


More information about the sword-devel mailing list