> -----Original Message----- > On Behalf Of John jdmwood-at-gmail.com |Donald Welker| > Sent: Monday, October 27, 2008 5:51 AM > > Hi all, > > I was hoping to get some clarification about "integrity checking" with > Digital Signatures. ... > My question is this: is the level of "integrity checking" of Digital > Signatures as good as or equivalent to the plain old integrity > checking you would get if you manually compared the hashes? > > For example, are there any flaws in the digital signature verification > process which mean that it's not as good for checking integrity as if > you had the hash of the file (through some trusted manner).
I hope that last isn't true, or there's no point in public key crypto. My understanding is that, for all practical purposes, a digital signature *is* a signed hash bundled with a public certificate. I seem to recall some potential weaknesses in both SHA-1 and MD5 published by Chinese mathematicians; perhaps one possible (if annoying) workaround is to use both hash algorithms? Either way, plan for SHA-3: http://en.wikipedia.org/wiki/SHA _______________________________________________ FDE mailing list FDE@www.xml-dev.com http://www.xml-dev.com/mailman/listinfo/fde
