-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/17/2016 08:44 PM, Daniel Kahn Gillmor wrote:

> FWIW, the threat model of digest algorithms being published on an 
> HTTPS website that then links to the file to be downloaded is much 
> easier to work around than by compromising SHA-1's preimage 
> resistance (or even collision resistance for that matter).
> 
> However, it makes more sense to me to just move everything to 
> sha-256 today.  Anyone who actually checks the digests should be 
> capable of using sha256 today, and it would avoid this sort of 
> question coming up in the future.

An argument could be made to remove the checksum altogether and focus
only on proper verification of the OpenPGP signature. Of course the
issue will persist in order to get a good basis for certificate
verification, so if the server was to be compromised in some way and
the user don't have a path; and this is first download so the TOFU
scenario fails .. and they aren't doing some probabilistic
consideration based on other public sources as well the end result
will be the same as having provided the checksum, but...

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Aquila non capit muscas
The eagle does not hunt flies
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJW6wzdAAoJECULev7WN52FTAsH/i8blyldxK3hCRt8xHUYxeaA
kBX+8pM7BJz4yQKxGeIZTR6fi4sU9xynZYEoDTxlebcYXo5V/lPzYIzhHIIF5UhN
AUf0QP4gVk++C1zvv01NhiRxatzD20r2RvBtOXXs/PO6O2ZZ+TavuhnHzASZVTz+
F0+lInnJbUdGdwkXYL5YGLhljchtpR0iq90RPcSlML9cka3h2m0pJKAMV5l16dnS
+ysVp9P+S4GafB7ai6bzWkduD7w4GrizuARMWSfqbybiWCmO97APNt1rqVaqb7uf
XMQV3/1v0CSfORx3//M9jq5EVRtq22Utrdjz+xROrn/hWuhAgIUWwz1shuB2ixE=
=V7G6
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to