On Tue, Feb 15, 2005 at 10:18:43PM -0700, Phillip Hellewell wrote:
> <tinfoil hat>
>
> Hmmmm, come to think of it, how can we trust this so called e-mail and
> so called break of SHA-1. I mean, hey, they didn't even really prove it
> yet, so how do we know it's not just some huge conspiracy; hey, maybe
> someone is trying to impersonate Michael and ruin his good name by
> spreading these nasty rumors!! Since there's no signature, we don't
> really know _WHO_ sent that message!!!
>
> </tinfoil hat>
I certify that the previously sent messages with SHA-1 hashes for the
bodies:
ce57b00152bc4d28fb6d1db7c0942d234d7061c5
21d6067691cc57fd69682adc946576cac6f653a7
342abccf1e67c06f89760f0f719fd75221e87b62
Were sent by me. You can take your tinfoil hat off now. ;-P
BTW, you can still use GnuPG with a hash that still is not known to be
broken. Place this in your gpg.conf or your .gnupg/options file:
digest-algo RIPEMD160
Note this is outside the RFC2440 spec, but it should be supported by
any PGP app that's worth its salt. Anyone who receives a digital
signature based on an MD-5 or SHA-1 hash should be suspicious. Well,
you should always be suspicious, but in those cases, you should be
especially suspicious.
Mike
.___________________________________________________________________.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 05B5 08A8 713A 64C1 D35D 2371 2D3C FDDA 3EB6 601D
Friends don't let friends do Windows.
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
