Date: Wed, 07 Feb 2001 01:40:16 +0100 From: Roelof Osinga <roelof@nisser.com> To: Wes Peters <wes@softweyr.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? Message-ID: <3A809970.EC5D31FF@nisser.com> References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Wes Peters wrote: > > ... > That's pretty much at the discretion of the parties signing and verifying > the packages. One of the signatures is a simple SHA1 crypto checksum, > that implies little other than you got what the package creator put > together to a fair degree of certainty. That - 'simple' - was not my impression. I 'needed' to implement both MD-4/5 and SHA-1 in Delphi a while ago and the thing that struck me from the FIPS notes was that it claimed - hah, here's the print-out - the following properties: "it is computationally infeasible to find a message which corresponds to a given MD, or to find two different messages which produce the same MD." That's pretty plain language. It does not say "it is CURRENTLY...". Nope. Just that it is infeasible. Then again, I'm neither a lawyer nor a cryptologist so... > ... > "Where am I, and what am I doing in this handbasket?" I dunno. Are those snoring noses coincedential? Roelof -- Home is where the (@) http://eboa.com/ is. Nisser home -- http://www.Nisser.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A809970.EC5D31FF>