Re: [Exim] OpenPGP signatures on Exim releases

Top Pagina
Delete this message
Reply to this message
Auteur: Kurt Lieber
Datum:  
Aan: exim-users
Onderwerp: Re: [Exim] OpenPGP signatures on Exim releases
On Wed, Oct 09, 2002 at 11:51:29AM +0100 or thereabouts, Philip Hazel wrote:
> Do you need more? If so, it will take time for me to obtain, install,
> learn about, and use cryptographic signing software. Not to mention
> organizing the appropriate keys.


MD5 hashes guarantee the integrity of the data, but they do not give you
non-repudiation. That is, an MD5 hash cannot authoritatively state that
the following tarball is guaranteed to be from Philip Hazel, rather than
Joe Cracker.

That's where digital signatures come in. By signing the MD5 hash, you're
effectively guaranteeing that the tarball being downloaded is unmodified
(because the hash checks out) and from you (because the signature checks
out)

As for learning about crytographic software, GnuPG seems to be the GPL'd
standard and I'm sure there are plenty of people on the list that would be
willing to help out with any questions, etc. that you may have. (including
myself -- feel free to contact me off list)

--kurt