No, a digital signature does not require an authority. I publish my public key on my Web site.
I send you a message along with a hash encrypted with my private key. If you decrypt that encrypted hash with my public key and it matches the hash of the message that you compute then the signature verifies (1) I sent it (non-repudiation and authentication) (2) It has not been tampered with No "authority" in there anywhere. A checksum only shows non-tampering. A signature authenticates. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Tuesday, April 3, 2018 5:29 PM To: [email protected] Subject: Re: Software Delivery on Tape to be Discontinued On Wed, 4 Apr 2018 08:17:14 +1000, Andrew Rowley wrote: >On 3/04/2018 9:21 PM, John Eells wrote: >> >> If you have a requirement for packages signed with strong algorithms, >> please open an RFE. >> >Is the SMP/E package signed, or just checksummed? A stronger hash is no >real value if the hash itself can be substituted because it is not >cryptographically signed. > I don't understand digital signatures beyond what I just read in: https://en.wikipedia.org/wiki/Digital_signature ... Digital signatures are equivalent to traditional handwritten signatures in many respects, but properly implemented digital signatures are more difficult to forge than the handwritten type. ... Paper contracts sometimes have the ink signature block on the last page, and the previous pages may be replaced after a signature is applied. ... But it seems that all such schemes depend on being able to authenticate a public key from some certificate authority. It doesn't appear that a digitally signed document can be entirely self-contained. So is a signature any more secure than an independently verifiable checksum, or just more practical? ("independently verifiable" implies "can't be substituted". It's like Ed's security auditor's phoning IBM and asking, "Did you send me this cartridge with the following (non-substitutable?) identifying marks?") ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
