On Tue, Sep 15, 2015 at 2:34 AM, Stephan Beal <sgb...@googlemail.com> wrote: > > For files/blobs, only their content is hashed (their name/timestamp/etc., > if any, is not used). No salt is used. If i'm not mistaken (but might be), > a salt is irrelevant (or unnecessary) in a non-cryptographic context. >
FYI, salts are mainly used for hashing passwords and authentication tokens. This is to make the hashes different each time. When using hashes to identify and/or check the integrity of documents, salting doesn't really add to the security of either the hash or the document. Fossil, by using hashes as identifiers, also provides some integrity checking of the stored documents. While Fossil is *not* generally considered a cryptographic tool, the integrity checking it implicitly provides could be considered a cryptographic feature. Also, as I pointed in an earlier post, the description of how Fossil uses GPG, PGP or similar tool, implies only the manifest gets signed. Therefor, the signature might rely on hashes generated by Fossil. Because of the way signatures work, if GPG were using SHA1, it would give the same result as encrypting the manifest ID with the user's private key. Of course, GPG can use newer, presumably better, algorithms.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
