Re: PGP signing releases

From: Greg Copeland <greg(at)CopelandConsulting(dot)Net>
To: Kurt Roeckx <Q(at)ping(dot)be>
Cc: Rod Taylor <rbt(at)rbt(dot)ca>, Curt Sampson <cjs(at)cynic(dot)net>, "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>, Neil Conway <neilc(at)samurai(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PGP signing releases
Date: 2003-02-05 00:19:42
Message-ID: 1044404381.2980.143.camel@mouse.copelandconsulting.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> >
> > Even improperly used, digital signatures should never be worse than
> > simple checksums. Having said that, anyone that is trusting checksums
> > as a form of authenticity validation is begging for trouble.
>
> Should I point out that a "fingerprint" is nothing more than a
> hash?
>

You seem to not understand the part where I said, "in of themselves."
Security is certainly an area of expertise where the devil is in the
details. One minor detail can greatly effect the entire picture.
You're simply ignoring all the details and looking for obtuse
parallels. Continue to do so all you like. It still doesn't
effectively and reliably address security in the slightest.

> > Checksums are not, in of themselves, a security mechanism.
>
> So a figerprint and all the hash/digest function have no purpose
> at all?
>

This is just getting silly and bordering on insulting. If you have
meaningful comments, please offer them up. Until such time, I have no
further comments for you. Obviously, a fingerprint is derivative piece
of information which, in of it self, does not validate anything.
Thusly, the primary supporting concept is the "web of trust", associated
process and built in mechanisms to help ensure it all makes sense and
maintained in proper context. Something that a simple MD5 checksum does
not provide for. Not in the least.

A checksum or hash only allows for comparisons between two copies to
establish they are the same or different. It, alone, can never reliably
be a source of authentication and validation. A checksum or hash,
alone, says nothing about who created it, where it came from, how old it
is, or whom is available to readily and authoritatively assist in
validation of the checksummed (or hashed) entity or the person who
created it.

I do agree that a checksum (or hash) is better than nothing, however, a
serious security solution it is not. Period. Feel free to be lulled
into complacent comfort. In the mean time, I'll choose a system which
actually has a chance at working.

Regards,

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Curt Sampson 2003-02-05 00:27:58 Re: PGP signing releases
Previous Message Tom Lane 2003-02-04 23:35:42 Re: POSIX regex performance bug in 7.3 Vs. 7.2