Re: PGP signing releases

On Tue, 2003-02-04 at 18:27, Curt Sampson wrote:
> On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> > On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> > >
> > > Even improperly used, digital signatures should never be worse than
> > > simple checksums. Having said that, anyone that is trusting checksums
> > > as a form of authenticity validation is begging for trouble.
> >
> > Should I point out that a "fingerprint" is nothing more than a
> > hash?
>
> Since someone already mentioned MD5 checksums of tar files versus PGP
> key fingerprints, perhaps things will become a bit clearer here if I
> point out that the important point is not that these are both hashes of
> some data, but that the time and means of acquisition of that hash are
> entirely different between the two.

And that it creates a verifiable chain of entities with direct
associations to people and hopefully, email addresses. Meaning, it
opens the door for rapid authentication and validation of each entity
and associated person involved. Again, something a simple MD5 hash does
not do or even allow for. Perhaps even more importantly, it opens the
door for rapid detection of corruption in the system thanks to
revocation certificates/keys. In turn, allows for rapid repair in the
event that the worst is realized. Again, something a simple MD5 does
not assist with in the least.

Thanks Curt.

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting