-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/17/2016 08:44 PM, Daniel Kahn Gillmor wrote:
> FWIW, the threat model of digest algorithms being published on an > HTTPS website that then links to the file to be downloaded is much > easier to work around than by compromising SHA-1's preimage > resistance (or even collision resistance for that matter). > > However, it makes more sense to me to just move everything to > sha-256 today. Anyone who actually checks the digests should be > capable of using sha256 today, and it would avoid this sort of > question coming up in the future. An argument could be made to remove the checksum altogether and focus only on proper verification of the OpenPGP signature. Of course the issue will persist in order to get a good basis for certificate verification, so if the server was to be compromised in some way and the user don't have a path; and this is first download so the TOFU scenario fails .. and they aren't doing some probabilistic consideration based on other public sources as well the end result will be the same as having provided the checksum, but... - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJW6wzdAAoJECULev7WN52FTAsH/i8blyldxK3hCRt8xHUYxeaA kBX+8pM7BJz4yQKxGeIZTR6fi4sU9xynZYEoDTxlebcYXo5V/lPzYIzhHIIF5UhN AUf0QP4gVk++C1zvv01NhiRxatzD20r2RvBtOXXs/PO6O2ZZ+TavuhnHzASZVTz+ F0+lInnJbUdGdwkXYL5YGLhljchtpR0iq90RPcSlML9cka3h2m0pJKAMV5l16dnS +ysVp9P+S4GafB7ai6bzWkduD7w4GrizuARMWSfqbybiWCmO97APNt1rqVaqb7uf XMQV3/1v0CSfORx3//M9jq5EVRtq22Utrdjz+xROrn/hWuhAgIUWwz1shuB2ixE= =V7G6 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
