From owner-freebsd-ports  Tue Feb  6 23:33:11 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP
	id 45AA037B491; Tue,  6 Feb 2001 23:32:49 -0800 (PST)
Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 14QPEh-0000Fs-00; Wed, 07 Feb 2001 00:41:55 -0700
Message-ID: <3A80FC43.AE335524@softweyr.com>
Date: Wed, 07 Feb 2001 00:41:55 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Roelof Osinga <roelof@nisser.com>
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG
Subject: Re: Package integrity check?
References: <20010205210459.A2479@acc.umu.se>
				<3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com> <3A809970.EC5D31FF@nisser.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Roelof Osinga wrote:
> 
> Wes Peters wrote:
> >
> > ...
> > That's pretty much at the discretion of the parties signing and verifying
> > the packages.  One of the signatures is a simple SHA1 crypto checksum,
> > that implies little other than you got what the package creator put
> > together to a fair degree of certainty.
> 
> That - 'simple' - was not my impression. I 'needed' to implement
> both MD-4/5 and SHA-1 in Delphi a while ago and the thing that
> struck me from the FIPS notes was that it claimed - hah, here's the
> print-out - the following properties: "it is computationally
> infeasible to find a message which corresponds to a given MD,
> or to find two different messages which produce the same MD."
> 
> That's pretty plain language. It does not say "it is CURRENTLY...".
> Nope. Just that it is infeasible. Then again, I'm neither a
> lawyer nor a cryptologist so...

A "simple SHA1" as opposed to "digital certificate that contains data
other than the crypto checksum."

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message