> Basically the MD5 Hash does not need keys. > [...] > Also apache.org delivers a file named .asc
Ok, thanks, I get it now (I think.) This explains some of the negative comments I've heard about MD5 then (it not being too strong). I read on some, on one Apache list, that folks will be ok with this being strong enough though. What will be tricky for us, should we chose to attempt it, will be supporting mirrors yet using the original MD5 from Apache... Since ASC has keys, that ties in to the 'web of trust' that Apache is working on, I think. Once on trusts a certain set of keys, those keys can be used to verify others that are acquired, and those can be used to verify the ASC. This is much harder to automate, but something we could aspire to... regards, Adam
