Re: [Exim] OpenPGP signatures on Exim releases

Góra strony
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
Dla: Ralf G. R. Bergs, exim-users, Florian Weimer
Temat: Re: [Exim] OpenPGP signatures on Exim releases
On Wed, 9 Oct 2002, Ralf G. R. Bergs wrote:

> On Wed, 09 Oct 2002 11:51:29 +0100 (BST), Philip Hazel wrote:
>
> It's a VERY good idea to do so. Learning GNU Privacy Guard (GPG)
> (www.gnupg.org) basics isn't very hard. You can even have Elm and Mutt
> integration if you want. :-)


I know, I know. But it takes time, and I'm an old dog that learns new
tricks slowly these days. And time is something I'm very short of just
at the momment.

> MD5 hashes guarantee the integrity of the data, but they do not give you
> non-repudiation. That is, an MD5 hash cannot authoritatively state that
> the following tarball is guaranteed to be from Philip Hazel, rather than
> Joe Cracker.


True.

> That's where digital signatures come in. By signing the MD5 hash, you're
> effectively guaranteeing that the tarball being downloaded is unmodified
> (because the hash checks out) and from you (because the signature checks
> out)


Assuming I'm clued up enough not to let anybody forge my signature...


On Wed, 9 Oct 2002, Florian Weimer wrote:

> Anyway, I can post list of steps required to sign Exim releases using
> OpenPGP. Interested?


Might be useful in due course.

> You don't have to obtain a certification from some well-known CA. It
> would be sufficient if Ian Jackson signed your key (I think he's still
> at Cambridge). ;-)


Sigh. Time, effort..

(I'm not really grumpy. It's just that the Work List seems unusually
long just at the moment. And I'm doing a very boring job - indexing the
book - which has to be completed asap.)

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.