On Tue, 16 May 2023 13:04:44 -0500, Charles Mills wrote: >Correct me if I am wrong, but my impression is that signing the package >protects (among other things) against the scenario in which one of your >associates, who let us assume is a bad guy, makes a zap-type modification to >the package after you download it and before you install it, thereby >compromising the integrity of your z/OS. Obviously, security for the download >will not protect against that, but package signing will. > OK. Verifying the signature at the point of RECEIVE FROMNTS protects against (fe)malefactors' compromising the GIMZIP between download and RECEIVE. If the signature is stored alongside the GIMZIP they could simply alter both.
And the SMPPTS must be protected until APPLY/ACCEPT, and the Target and DLIBs indefinitely. Some of this depends on which you trust more, DigiCert or your RACF configuration. SMPNTS is a zFS hierarchy. How vulnerable is that? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
