On Tue, Sep 13, 2005 at 11:55:38AM +0100, John P. Looney wrote:
> No, it sounds good. But the way I'd do it would be collect public keys
> for from anyone that pays you for the software. Any software release would
> then contain the following;
> The tarball, encrypted with your "release key"
> A tarball of the private parts of the release key, each encrypted with
> the paying users (one per user).
> And maybe a script to unpack it all.
Which, unfortunately, won't stop the release key getting out into the
wild, unless each release uses a different key. Of course - even this
won't prevent the release key getting into the wild for a particular
Essentially - once a user decrypts your release-key using his key,
there's the potential that it gets into the wild. This method will
quickly head into "security through obscurity" which is probably not
what you want.
I'd be leaning towards some flavour of gpg encrypted/signed call-home
registration method. Registration script to encrypt to your public
release-key a message which is signed by the users' key. To which the
server replies with a decrypt-key encrypted to the user-key. The script
would only store the decrypt-key in memory, avoiding most of the vectors
for its getting out into the wild.
Of course, the registration server would only respond to requests signed
by recognised users' keys.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://mail.linux.ie/pipermail/ilug/attachments/20050913/f124e5a9/attachment.pgp
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!