> Sorry to be rude, but your post just told me what I already know :), If that's true, then you are asking the wrong questions.
> my lack of knowledge at security, but didn't help me a bit :( > (not sure if the post was meant to be helpful). I told you exactly what you need to do. Spend several years studying computer security or find an expert and get them to assist you. Seriously, that is probably the only way you can produce a trustworthy scheme. > If you have spend the same amount of time writing *what* is wrong with my > approch & why this should be avoided that would have helped me or anyone > who might be tempeted to do what I am trying to do. I told you precisely what was wrong with your scheme -- you don't have the knowledge necessary to execute it properly. Even the most detailed recipe won't change that. It's not specific issues, it's a comprehensive understanding of what it takes to make something secure and what can go wrong. I'm trying to prevent yet another software security disaster. They all start with someone who is reasonably knowledgeable in fields other than security who thinks security is simple -- they just get a secure toolkit (like OpenSSL) and 'sprinkle it on' the program. It doesn't work that way. You can take the most secure algorithms and toolkits and produce a worthless program out of them. You would not even have any way to know when or whether you got it right. It's like someone with no engineering experience building a bridge and then, when they thought they were done even though they had no idea how to test a bridge, putting real trucks and cars on it. The bridge is very likely to break with the real traffic on it. On the bright side, with a license scheme the most likely result is that only your own software licensing scheme will be compromisable in seconds by someone who knows what they're doing. But if you try to put in security enforcement schemes, and the security you are enforcing is broken, those schemes can do serious damage. Someone who doesn't fully understand the distinction between encrypting and signing with respect to public key schemes lacks a massive amount of knowledge that is necessary to devise any secure application or scheme. It's like a person who fully understand the differences between cement and steel trying to build a road bridge. While people can certainly point you in the right direction and get you further towards designing something that you think does the job, that would be doing a disservice to anyone who wound up with a copy of your code. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
