>Alan B. Pearce:
>>I would suggest that an encrypted bootloader would be
>heaps more secure than an ICSP connection ...
>
>Secure against what? In this case, it's not a problem if the
>product is manipulated AFTER the firmware is in the product,
>because it is being delivered to the user immediately afterwards.
>If the user manipulates his own product, it's his own headache.

I would suggest this could well become your headache, to recover such 
devices afterwards ...

>The important thing is that no user receives a product
>manipulated by someone else. If a bootloader is used, a
>risk is introduced that anyone with physical access to
>the product, could erase it and overwrite it with a manipulated
>bootloader, which seemingly acts like the genuine bootloader,
>but which filters the firmware program in different malicious ways.

You mean you haven't checked out how to protect the bootloader area?

It strikes me that if you supply a product with the ICSP pins available then 
the possibility of someone loading rogue software is considerably increased. 
If a secure bootloader is used, the ICSP pins can be protected against 
everyone but the most determined hacker, and by using your own protocol, you 
can make it extremely difficult to download anything without the hacker 
going the ICSP route.

If you purchased your 18F13K50 chips with the bootloader loaded by 
Microchip, and set the config so that the Bootload area is write protected, 
then you have a very secure setup right from the beginning, which would make 
it very hard for anyone on the production line to load rogue code. 

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist