From owner-freebsd-questions@FreeBSD.ORG Mon Mar 3 16:02:25 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6F476CD2 for ; Mon, 3 Mar 2014 16:02:25 +0000 (UTC) Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 04CBE95F for ; Mon, 3 Mar 2014 16:02:24 +0000 (UTC) Received: by mail-we0-f181.google.com with SMTP id q58so3339964wes.26 for ; Mon, 03 Mar 2014 08:02:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=r4ghG2kss+C5MJuzfDsFAZo9++Zuo59LxVG7xuwQan4=; b=x6PoG25CbUYb0v1GhefFAvdI8262Z+mMtvwLtxDXhUcTT5f0kK0UHpwHRc414MGE56 QKmt9uCl+j1xXlEUVAnoslEgfwX7S1BNzDD4b4Dd/5wCXATsBdzAw0Hfcz9TrWsPnbnQ zoaNYQDgxtkCQicJVK2MsTktiflHMNyuI0UEd2P9MFaTgNQTNEDA49RhMc6xNut6USaJ 5Zd41lupjOkvcXfzFQpQNR1ZKxznATIsWciJuMWzj3XdIlxzZl+9ETXxcsees2hKvG32 STAcehJLJ3rQSXg0josJi/DSXa3IJmXb0wjdWY4WiFqsWfQXAomEi1cjUJ65zsTSlWNR susg== X-Received: by 10.194.200.40 with SMTP id jp8mr10716336wjc.51.1393862543479; Mon, 03 Mar 2014 08:02:23 -0800 (PST) Received: from gumby.homeunix.com ([94.195.197.200]) by mx.google.com with ESMTPSA id 15sm22329484wjo.13.2014.03.03.08.02.21 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Mon, 03 Mar 2014 08:02:23 -0800 (PST) Date: Mon, 3 Mar 2014 16:02:18 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: Cryptografically signed ISO images Message-ID: <20140303160218.072db3fe@gumby.homeunix.com> In-Reply-To: <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 16:02:25 -0000 On Mon, 3 Mar 2014 09:50:05 -0600 (CST) Valeri Galtsev wrote: > The only difference I see in general between the signature and SHA-2 > hash is in a chain of trust. The rest (assurance that what you have > resembles the signature in one case or SHA-2 hash in the other) is on > the same level of security. Chain of trust is different though: in > case of pgp or gpg signature you know the public key of signee from > some published source (i.e. you trust that source). In case of SHA-2 > hash you have to trust the web site that provides the hashes, which > you accomplish by verifying that SSL Certificate the site presents is > signed by trusted authority and by common sense (is this site related > to FreeBSD thus authoritative to provide signatures or not). > > If someone sees mistake(s) in what I said, please, let me know. That's fine if you can download the checksum files by HTTPS, but on an FTP server it's no more that a check against corruption.