On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote:
> On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> > 
> > Even improperly used, digital signatures should never be worse than
> > simple checksums.  Having said that, anyone that is trusting checksums
> > as a form of authenticity validation is begging for trouble.
> Should I point out that a "fingerprint" is nothing more than a
> hash?

You seem to not understand the part where I said, "in of themselves." 
Security is certainly an area of expertise where the devil is in the
details.  One minor detail can greatly effect the entire picture. 
You're simply ignoring all the details and looking for obtuse
parallels.  Continue to do so all you like.  It still doesn't
effectively and reliably address security in the slightest.  

> > Checksums are not, in of themselves, a security mechanism.
> So a figerprint and all the hash/digest function have no purpose
> at all?

This is just getting silly and bordering on insulting.  If you have
meaningful comments, please offer them up.  Until such time, I have no
further comments for you.  Obviously, a fingerprint is derivative piece
of information which, in of it self, does not validate anything. 
Thusly, the primary supporting concept is the "web of trust", associated
process and built in mechanisms to help ensure it all makes sense and
maintained in proper context.  Something that a simple MD5 checksum does
not provide for.  Not in the least.

A checksum or hash only allows for comparisons between two copies to
establish they are the same or different.  It, alone, can never reliably
be a source of authentication and validation.  A checksum or hash,
alone, says nothing about who created it, where it came from, how old it
is, or whom is available to readily and authoritatively assist in
validation of the checksummed (or hashed) entity or the person who
created it.

I do agree that a checksum (or hash) is better than nothing, however, a
serious security solution it is not.  Period.  Feel free to be lulled
into complacent comfort.  In the mean time, I'll choose a system which
actually has a chance at working.


Greg Copeland <[EMAIL PROTECTED]>
Copeland Computer Consulting

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to