--- begin forwarded text
To: [EMAIL PROTECTED] From: Vinnie Moscaritolo <[EMAIL PROTECTED]> Subject: Re: [Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] List-Id: Macintosh Cryptography <mac_crypto.vmeng.com> List-Post: <mailto:[EMAIL PROTECTED]> List-Help: <mailto:[EMAIL PROTECTED]> List-Subscribe: <http://www.vmeng.com/mailman/listinfo/mac_crypto>, <mailto:[EMAIL PROTECTED]> List-Archive: <http://www.vmeng.com/pipermail/mac_crypto/> Date: Mon, 5 Apr 2004 08:10:26 -0800 one more thing for all it's worth.. MD5 is not a FIPS-140-2 approved algorithm. http://csrc.nist.gov/cryptval/ this would technically prevent osx from being used in any Federal or Mil environment. Apple will eventually have to address this concern. At 6:17 AM -0500 4/4/04, Arnold G. Reinhold wrote: >The cryptographic hash function MD5 has long been used to >authenticate software packages, particularly in the Linux/Unix/open >source community. This has carried over to Apple's OS-X. The MD5 >hash of an entire package is calculated and its value is transmitted >separately from the package. Users who download the package compute >the hash of the copy they received and match that value against the >original. -- Vinnie Moscaritolo ITCB-IMSH PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042 ------------------------------------------------------- "When the pin is pulled, Mr. Grenade is not our friend." - USMC training bulletin. _______________________________________________ mac_crypto mailing list [EMAIL PROTECTED] http://www.vmeng.com/mailman/listinfo/mac_crypto --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]