On Wed, 9 Oct 2002, Ralf G. R. Bergs wrote:
> On Wed, 09 Oct 2002 11:51:29 +0100 (BST), Philip Hazel wrote:
>
> It's a VERY good idea to do so. Learning GNU Privacy Guard (GPG)
> (www.gnupg.org) basics isn't very hard. You can even have Elm and Mutt
> integration if you want. :-)
I know, I know. But it takes time, and I'm an old dog that learns new
tricks slowly these days. And time is something I'm very short of just
at the momment.
> MD5 hashes guarantee the integrity of the data, but they do not give you
> non-repudiation. That is, an MD5 hash cannot authoritatively state that
> the following tarball is guaranteed to be from Philip Hazel, rather than
> Joe Cracker.
True.
> That's where digital signatures come in. By signing the MD5 hash, you're
> effectively guaranteeing that the tarball being downloaded is unmodified
> (because the hash checks out) and from you (because the signature checks
> out)
Assuming I'm clued up enough not to let anybody forge my signature...
On Wed, 9 Oct 2002, Florian Weimer wrote:
> Anyway, I can post list of steps required to sign Exim releases using
> OpenPGP. Interested?
Might be useful in due course.
> You don't have to obtain a certification from some well-known CA. It
> would be sufficient if Ian Jackson signed your key (I think he's still
> at Cambridge). ;-)
Sigh. Time, effort..
(I'm not really grumpy. It's just that the Work List seems unusually
long just at the moment. And I'm doing a very boring job - indexing the
book - which has to be completed asap.)
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.