Re: PGP signing releases
Kurt Roeckx <q@ping.be>
From: Kurt Roeckx <Q@ping.be>
To: Greg Copeland <greg@CopelandConsulting.Net>
Cc: Rod Taylor <rbt@rbt.ca>, Curt Sampson <cjs@cynic.net>, "Marc G. Fournier" <scrappy@hub.org>, Neil Conway <neilc@samurai.com>, PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2003-02-04T22:13:47Z
Lists: pgsql-hackers
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote: > > Even improperly used, digital signatures should never be worse than > simple checksums. Having said that, anyone that is trusting checksums > as a form of authenticity validation is begging for trouble. Should I point out that a "fingerprint" is nothing more than a hash? > Checksums are not, in of themselves, a security mechanism. So a figerprint and all the hash/digest function have no purpose at all? > There really isn't any comparison here. I didn't say you could compare the security offered by both of them. All I said was that md5 also makes sense from a security point of view. Should I also point out that md5 really isn't a "checksum", it's a digest or hash. I have to agree that a real checksum, where you just add all the bytes, offers no protection. Kurt