On Wed, Nov 29, 2000 at 04:14:25PM -0800, Joey Hess wrote: > If I understand right, Ben wants something unique that can be signed > for some secrit package signing scheme. Assuming the sig goes in a > component after control.tar.gz and data.tar.gz, why can't is just sign > a concacentation of their md5sums? > > I don't understand how signing a uuid that is just listed in the control > file and could be modified by anyone is cryptographically secure. > > Must be missing something.
The UUID means nothing for security, it is there for uniquely identifying a package. The UUID itself proves nothing, and the security model I am talking about does not use it for verification. It is meant to say "package xxx-xxx-xxx-xxx-xxxxxxxx is what we are talking about". So you are just reading more into this than is meant to be :) -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
