Date: Wed, 07 Feb 2001 00:41:55 -0700 From: Wes Peters <wes@softweyr.com> To: Roelof Osinga <roelof@nisser.com> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG Subject: Re: Package integrity check? Message-ID: <3A80FC43.AE335524@softweyr.com> References: <20010205210459.A2479@acc.umu.se> <3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <3A809970.EC5D31FF@nisser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Roelof Osinga wrote:
>
> Wes Peters wrote:
> >
> > ...
> > That's pretty much at the discretion of the parties signing and verifying
> > the packages. One of the signatures is a simple SHA1 crypto checksum,
> > that implies little other than you got what the package creator put
> > together to a fair degree of certainty.
>
> That - 'simple' - was not my impression. I 'needed' to implement
> both MD-4/5 and SHA-1 in Delphi a while ago and the thing that
> struck me from the FIPS notes was that it claimed - hah, here's the
> print-out - the following properties: "it is computationally
> infeasible to find a message which corresponds to a given MD,
> or to find two different messages which produce the same MD."
>
> That's pretty plain language. It does not say "it is CURRENTLY...".
> Nope. Just that it is infeasible. Then again, I'm neither a
> lawyer nor a cryptologist so...
A "simple SHA1" as opposed to "digital certificate that contains data
other than the crypto checksum."
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A80FC43.AE335524>