[A83] Re: TI-Cares


[A83] Re: TI-Cares

(Warning/Disclaimer: You've caught me in a bad mood.)

Sorry, but I think *you* miss something...
    From TI's standpoint, the vital security piece in their signing scheme
is the private key.  TI has released the private key and by doing this has,
in effect, given up all control on Flash Apps.

> Now I've read your mail some better I've seen that it also could be that
> you ment to say that Ti wouldn't loose money on releasing the rabsign
> source-code... That would be true, because you should know the other
> (private/open) keys used by the TIOS (Cerberus...), before being able to
> generate your own keys. But if we would have the encoder source, then it
> wouldn't need that much effort to find new keys that could also 'fit', off
> coarse, I think Ti will still keep it for themselves for some time, utill
> then... (What is the economic lifespan of the Ti83+?)
.......You talk about how with the rabsig source you could create your own
keys (whether or not you could do this is a different story, with an answer
probably of no, as Peter pointed out), but the point is, why would you want
to do this, and why would TI care?  The freeware key is "the key".  You can
sign anything with it.  If TI was worried about the "economic lifespan" of
the TI-83 Plus they wouldn't have released the freeware key.  I don't even
understand what you're trying to say.  TI is not going to be making *any*
money on your applications, you don't need any other keys.

> The key is indeed vital, but since you can open a zipfile on almost all
> platforms that isn't the problem... You could just extract the 0104.key
> file...
........My point is that now that TI has released 0104.key, they hold no
control over the signing process.  For you personally, rabsig.exe may be the
current pressing problem, but in the grand scheme of things, it's not.  For
them, it doesn't matter if you have rabsig.exe source, since they've already
given up control of signing; it makes no difference.  I'm not saying that TI
will release the rabsig source (though it's a possibility), I'm just saying
that you should understand that TI is actually trying to *help* you.
Releasing 0104.key is not making them a dime.

-Dan Englender

> Sorry, but I think you miss something...
> The key is indeed vital, but since you can open a zipfile on almost all
> platforms that isn't the problem... You could just extract the 0104.key
> file...
> The other programs beside rabsign in the archive are (all Windows/DOS32
> programs...) just programs that do easy to do things, like [fillapp]
> filling your hex-file up to the next 16k, [GLHeader] adding the .8xk (Ti
> GraphLink) header format, [convert] and converting IntelHex to hex,
> [addhex] merging files (hexadecimaly) together, and such sort of things.
> So the actual 'encoder' [rabsign] is indeed the most needed part, because
> the rest of the files are easy to make substitutes for.
> The problem is that we don't exactly know how they apply the MD5 checksum,
> they could be doing all things of wierd stuff (like first reversing the
> bitstream, or something), which isn't always easy to find out the
> reverse-engeneering way.
> Now I've read your mail some better I've seen that it also could be that
> you ment to say that Ti wouldn't loose money on releasing the rabsign
> source-code... That would be true, because you should know the other
> (private/open) keys used by the TIOS (Cerberus...), before being able to
> generate your own keys. But if we would have the encoder source, then it
> wouldn't need that much effort to find new keys that could also 'fit', off
> coarse, I think Ti will still keep it for themselves for some time, utill
> then... (What is the economic lifespan of the Ti83+?)
> Henk Poley
