Re: [Exim] OpenPGP signatures on Exim releases

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M+++-\Florian Weimer at <-
MMMM\MPhilip Hazel at ->
Delete this message
Reply to this message
Author: Kurt Lieber
Date:  
To: exim-users
Subject: Re: [Exim] OpenPGP signatures on Exim releases
On Wed, Oct 09, 2002 at 11:51:29AM +0100 or thereabouts, Philip Hazel wrote:
> Do you need more? If so, it will take time for me to obtain, install,
> learn about, and use cryptographic signing software. Not to mention
> organizing the appropriate keys.

MD5 hashes guarantee the integrity of the data, but they do not give you
non-repudiation. That is, an MD5 hash cannot authoritatively state that
the following tarball is guaranteed to be from Philip Hazel, rather than
Joe Cracker.

That's where digital signatures come in. By signing the MD5 hash, you're
effectively guaranteeing that the tarball being downloaded is unmodified
(because the hash checks out) and from you (because the signature checks
out)

As for learning about crytographic software, GnuPG seems to be the GPL'd
standard and I'm sure there are plenty of people on the list that would be
willing to help out with any questions, etc. that you may have. (including
myself -- feel free to contact me off list)

--kurt


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] OpenPGP signatures on Exim releasesRe: [Exim] OpenPGP signatures on Exim releases->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)