[Gnu-arch-users] Re: MD5 is broken

gnu-arch-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnu-arch-users] Re: MD5 is broken

From:	Ivan Boldyrev
Subject:	[Gnu-arch-users] Re: MD5 is broken
Date:	Wed, 16 Mar 2005 21:14:18 +0600
User-agent:	Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux)

On 9050 day of my life Jason McCarty wrote:
> Maybe, but what alternative do we have today? AIUI, gpg-signing in
> general just encrypts a hash (of a hash, in our case), so you need a
> good choice for both the hash tla uses and the one gpg uses. So which
> hash(es)?

I have an idea: create detached signature of concatenated content of
patch directory:

(cat log; echo "Log delimiter"; cat checksum;
 echo "Checksum delimiter"; cat bla--main--0.1--patch-2.tar.gz) \
  | gpg --armor --detach-sign > signature

Delimiters must be carefully used.  They protect from lines moved from
one file to another.  Delimiter must be string that cannot be
contained in any of delimited files.

This signature is as strong as any GPG signature.  And old
implementations can use this archive ignoring ./signature.

Sums in ./checksum are useful for integrity checking only.  Let it be
MD5 or even CRC.

Design of signing process is changed, ant Arch is not weakest link in
a chain anymore.

-- 
Ivan Boldyrev

                                        | recursion, n:
                                        |       See recursion

pgpBPHLP92MBS.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Gnu-arch-users] Re: MD5 is broken, (continued)

Prev by Date: Re: [Gnu-arch-users] Re: MD5 is broken
Next by Date: Re: [Gnu-arch-users] Re: MD5 is broken
Previous by thread: [Gnu-arch-users] Re: MD5 is broken
Next by thread: Re: [Gnu-arch-users] Re: MD5 is broken
Index(es):
- Date
- Thread