Yep, that's what TLS does. Charles
-----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Wednesday, April 4, 2018 9:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Software Delivery on Tape to be Discontinued W dniu 2018-04-04 o 17:34, Charles Mills pisze: >> IBM sign the hash (in fact they sign whole serverpac) > I think the "whole serverpac" is effectively signed -- but the way that is > done is to sign the hash. There are security advantages too long a digression > for this reply. > >> If you really want to encrypt the content (ie. DVD files) then you >> have to make your pair of PRIVATE/PUBLIC keys. Yes, the customer has >> to do it and ask IBM to use his public key > Yep, that is the process that certificates and the TLS protocol automate. TLS > does not do anything for you in terms of encryption that you could not do on > your own -- but worst case doing it without TLS would require your sending a > courier with a briefcase containing a secret key locked to his wrist to IBM, > and IBM maintaining a secret key for each customer. TLS automates that > process, securely. NO! Asymmetric crypto is the solution for secret key exchange. There is no longer need to exchange the keys using briefcase. I keep my private key in secret and my public key is really public. You do the same with your key pair. Now I can encrypt (but NOT DECRYPT) some data using your public key and only private key holder can decrypt it (you). And vice versa - you can encrypt some data using my public key. In case of doubt who is on the other end of wire (am I using YOUR key or someone else's key?) certificates can be used. Note: asymmetric cryptography is very cpu-consuming, approx. 1000 times more than symmetric. That's why people (protocols) tend to use asymmetric cyrpto to exchange small data portion - the key, symmetric one. After that both parties share their own, unique, disposable key for bulk data exchange. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN