From owner-freebsd-security@FreeBSD.ORG  Wed Mar 10 22:18:04 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A4921106566C
	for <freebsd-security@freebsd.org>;
	Wed, 10 Mar 2010 22:18:04 +0000 (UTC) (envelope-from daniel@roe.ch)
Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch
	[IPv6:2001:41e0:ff17:face::26])
	by mx1.freebsd.org (Postfix) with ESMTP id 2B8118FC14
	for <freebsd-security@freebsd.org>;
	Wed, 10 Mar 2010 22:18:04 +0000 (UTC)
Received: from roe (ssh-from [213.144.130.143])
	by calvin.ustdmz.roe.ch (envelope-from <daniel@roe.ch>)
	with LOCAL id 1NpUE5-000IAQ-Fi ; Wed, 10 Mar 2010 23:18:01 +0100
Date: Wed, 10 Mar 2010 23:18:01 +0100
From: Daniel Roethlisberger <daniel@roe.ch>
To: freebsd-security@freebsd.org
Message-ID: <20100310221801.GD68311@calvin.ustdmz.roe.ch>
Mail-Followup-To: freebsd-security@freebsd.org,
	Peter Jeremy <peterjeremy@acm.org>,
	Elmar Stellnberger <elmstel@gmail.com>
References: <4B97AB28.8060403@gmail.com>
	<20100310185328.GD37825@server.vk2pj.dyndns.org>
	<4B97C1D1.7050209@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B97C1D1.7050209@gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: Elmar Stellnberger <elmstel@gmail.com>
Subject: Re: online cheksum verification for FreeBSD
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 22:18:04 -0000

Elmar Stellnberger <elmstel@gmail.com> 2010-03-10:
> > I notice that your tool only appears to store MD5 hashes - I presume
> > you are aware that the MD5 algorithm has been shown to have a number
> > of weaknesses and is not recommended for new applications.  This
> > is why FreeBSD has moved to using a combination of MD5 and SHA256.
> 
> Yes, we should use SHA-1 (or possibly a combination of SHA-1
> and MD5) for FreeBSD.  For openSUSE I had to use what has been
> available.

SHA-1 is not recommended for new applications either.  You should
probably use SHA-256.

Peter Jeremy <peterjeremy@acm.org> 2010-03-10:
> Also, your website mentions DSA is unsafe.  Could you please
> provide a reference for this claim as I am unaware of any
> results suggesting that DSA is less secure than RSA.

That claim might be based in the fact that original DSS limited
DSA key size to 1024 bits.  Since 2k and 3k DSA is available
these days, the claim that DSA is unsafe seems outdated.

-- 
Daniel Roethlisberger
http://daniel.roe.ch/