On Wed, 4 Apr 2018 08:17:14 +1000, Andrew Rowley wrote:
>On 3/04/2018 9:21 PM, John Eells wrote:
>>
>> If you have a requirement for packages signed with strong algorithms,
>> please open an RFE.
>>
>Is the SMP/E package signed, or just checksummed? A stronger hash is no
>real value if the hash itself can be substituted because it is not
>cryptographically signed.
>
I don't understand digital signatures beyond what I just read in:
https://en.wikipedia.org/wiki/Digital_signature
... Digital signatures are equivalent to traditional handwritten signatures
in many respects, but properly implemented digital signatures are more
difficult to forge than the handwritten type. ...
Paper contracts sometimes have the ink signature block on the last page,
and the previous pages may be replaced after a signature is applied. ...
But it seems that all such schemes depend on being able to authenticate
a public key from some certificate authority. It doesn't appear that a
digitally signed document can be entirely self-contained.
So is a signature any more secure than an independently verifiable checksum,
or just more practical?
("independently verifiable" implies "can't be substituted". It's like Ed's
security
auditor's phoning IBM and asking, "Did you send me this cartridge with the
following (non-substitutable?) identifying marks?")
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
