On 08/03/2008 04:25 PM, Harold Fuchs wrote: > On 03/08/2008 00:42, Twayne wrote: >> >>> Do checksums do the same thing as digital signatures? >>> >> >> No, they are not the same thing in any way. Apples and oranges; they do >> not do the same thing. Using one does not negate using the other. One >> being OK has nothing to do with whether the other will get the same >> result. >> A signature is nothing more than having some company vouch for you in >> verifiable ways, that you are who you say you are. A checksum is simply >> a calculated number for code which can be checked after transport to see >> if the sum has remained identical to what was used as a source. They >> ARE the same in that, if you allow automagical operation, they can >> easily be forged to be what you want/expect to see. >> > > This is a half truth. A digital signature is no more and no less than an > encrypted hash. Several digital signature systems use MD5 as the hash. > The difference is the [imputed] trustworthiness of the result. A > published hash is easier to fake than is the digital certificate on > which the digital signature is based. That's because the certificate > used to check the signature is *usually* taken from an extremely > trustworthy and unhackable place whereas a straight hash is *normally* > taken from the same (relatively easy to hack) place as the file was > taken from. This in turn means that the signature is *much* more likely > to belong to the putative author of the file and this means that if the > signature checks out then the file is much more likely to be genuine.
Except in the case last month where there was a security issue with openssl, ssl-cert vulerabilities. That caused huge flurry of updates to be issued on Debian and other linux systems to blacklist, change, and reissue cert keys - including keys/certificates issued by trusted sources. There will always be hacks for security, and like you point out digital certs are generally considerably more secure than a standard md5. But again, I think that the issues relating to signed downloads from OOo is extending the signatures out to the mirrors etc. Even major linux distributions are rarely, if ever offered with digital certs. I suppose the "EvilGrade Exploit" as decribed can and will work, I suspect it is more a "proof of concept" than active, but it never hurts to take measures to protect against it. Questions such as those by the original poster are probably better addressed to the OOo security team rather than via user comment/speculation. See: http://www.openoffice.org/security/ [EMAIL PROTECTED] http://www.openoffice.org/security/bulletin.html --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
