Re: PGP signing releases

From: Greg Copeland <greg(at)CopelandConsulting(dot)Net>
To: Curt Sampson <cjs(at)cynic(dot)net>
Cc: Kurt Roeckx <Q(at)ping(dot)be>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: PGP signing releases
Date: 2003-02-05 00:43:55
Message-ID: 1044405834.2979.151.camel@mouse.copelandconsulting.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, 2003-02-04 at 18:27, Curt Sampson wrote:
> On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> > On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> > >
> > > Even improperly used, digital signatures should never be worse than
> > > simple checksums. Having said that, anyone that is trusting checksums
> > > as a form of authenticity validation is begging for trouble.
> >
> > Should I point out that a "fingerprint" is nothing more than a
> > hash?
>
> Since someone already mentioned MD5 checksums of tar files versus PGP
> key fingerprints, perhaps things will become a bit clearer here if I
> point out that the important point is not that these are both hashes of
> some data, but that the time and means of acquisition of that hash are
> entirely different between the two.

And that it creates a verifiable chain of entities with direct
associations to people and hopefully, email addresses. Meaning, it
opens the door for rapid authentication and validation of each entity
and associated person involved. Again, something a simple MD5 hash does
not do or even allow for. Perhaps even more importantly, it opens the
door for rapid detection of corruption in the system thanks to
revocation certificates/keys. In turn, allows for rapid repair in the
event that the worst is realized. Again, something a simple MD5 does
not assist with in the least.

Thanks Curt.

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Christopher Kings-Lynne 2003-02-05 01:38:30 Re: [GENERAL] HELP NEEDED: Recreating DROP columns
Previous Message Curt Sampson 2003-02-05 00:27:58 Re: PGP signing releases