Karel Gardas wrote: > On Wed, 16 Mar 2005, Peter Conrad wrote: > > Combining different hashes in the signature should make attacks a lot > > more difficult, because an attacker would have to produce collisions > > for all hashes at the same time. Of course, *all* hashes must be > > validated when checking the signature, instead of validating only one > > of them. > > Yes, I agree, but combining two hashes from which one is considered broken > and one is considered weak these days is IMHO less secure than using one > hash which is considered secure.
Maybe, but what alternative do we have today? AIUI, gpg-signing in general just encrypts a hash (of a hash, in our case), so you need a good choice for both the hash tla uses and the one gpg uses. So which hash(es)? -- Jason McCarty <[EMAIL PROTECTED]> _______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
