[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: digital signatures
From: |
Steve Lipa |
Subject: |
Re: digital signatures |
Date: |
Thu, 1 Apr 2004 17:41:34 -0500 |
User-agent: |
Mutt/1.2.5i |
On Apr 01 Przemek Klosowski (address@hidden) wrote:
> Steve,
>
> I am not denying that digital signatures are good; I am just saying
> that there's not enough infrastructure in the world at large to use
> them exclusively. Doing only gpg sigs will leave out everyone who
> doesn't have the setup; I am arguing to do both!
>
> You definitely gloss over the problem of not having the gpg/pgp
> infrastructure on the client end. It's one thing to have John do 'gpg
> --sign', but you then have to tell everyone to
>
> - get gpg if they don't already have it
> - find and import John's public key
> - check the signatures.
>
I'm sorry, but there is no free lunch. Unless you do the three steps that you
list above, there is no way to know if the octave-2.x.x.tar.bz2 that you just
downloaded is the one that Dr. Eaton wants you to have or the trojan-infested
one that the hackers that rooted www.octave.org want you to have.
MD5 sums can guarantee it. But you need to go through a procedure at least as
convoluted as the above to achieve it, because, as you pointed out earlier in
this thread, the MD5 sum must be "distributed in a way that does not allow for
surreptitious modification."
This distribution system is PRECISELY what gpg and pgp address. A gpg
signature of a file is just a hash of the file signed with the private key.
gpg just makes it easier to make sure you are using the right hash.
I can see how MD5 sums provided on a separate channel are useful. But I think
that MD5 sums provided on the server are worse than useless because they are
trivial for anyone who has hacked the server to change and therefore may give
a false sense of security to users who are too unsophisticated to realize
this.
Steve
--
Steve Lipa
address@hidden
gpg fingerprint = 8B68 77D7 9E09 9991 C97E 25FF 6A12 D2B9 EC7D 66C1