Re: PGP signing releases

On Tue, 2003-02-04 at 12:02, Rod Taylor wrote:
> On Tue, 2003-02-04 at 12:55, Kurt Roeckx wrote:
> > On Tue, Feb 04, 2003 at 01:35:47PM +0900, Curt Sampson wrote:
> > > On Mon, 3 Feb 2003, Kurt Roeckx wrote:
> > >
> > > > I'm not saying md5 is as secure as pgp, not at all, but you can't
> > > > trust those pgp keys to be the real one either.
> > >
> > > Sure you can. Just verify that they've been signed by someone you trust.
> >
> > I know how it works, it's just very unlikely I'll ever meet
> > someone so it gives me a good chain.
> >
> > Anyway, I think pgp is good thing to do, just don't assume that
> > it's always better then just md5.
>
> Not necessarily better -- but it's always as good as md5.

Even improperly used, digital signatures should never be worse than
simple checksums. Having said that, anyone that is trusting checksums
as a form of authenticity validation is begging for trouble. Checksums
are not, in of themselves, a security mechanism. I can't stress this
enough. There really isn't any comparison here. Please stop comparing
apples and oranges. No matter how hard you try, you can not make orange
juice from apples.

Regards,

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting