Re: PGP signing releases - Mailing list pgsql-hackers

From Kurt Roeckx
Subject Re: PGP signing releases
Date
Msg-id 20030204221346.GA809@ping.be
Whole thread Raw
In response to Re: PGP signing releases  (Greg Copeland <greg@CopelandConsulting.Net>)
Responses Re: PGP signing releases
Re: PGP signing releases
Re: PGP signing releases
List pgsql-hackers
On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> 
> Even improperly used, digital signatures should never be worse than
> simple checksums.  Having said that, anyone that is trusting checksums
> as a form of authenticity validation is begging for trouble.

Should I point out that a "fingerprint" is nothing more than a
hash?

> Checksums are not, in of themselves, a security mechanism.

So a figerprint and all the hash/digest function have no purpose
at all?

> There really isn't any comparison here.

I didn't say you could compare the security offered by both of
them.  All I said was that md5 also makes sense from a security
point of view.


Should I also point out that md5 really isn't a "checksum",
it's a digest or hash.  I have to agree that a real checksum,
where you just add all the bytes, offers no protection.


Kurt



pgsql-hackers by date:

Previous
From: Hannu Krosing
Date:
Subject: Re: POSIX regex performance bug in 7.3 Vs. 7.2
Next
From: Tom Lane
Date:
Subject: Re: POSIX regex performance bug in 7.3 Vs. 7.2