Ben Laurie wrote:
My understanding is that our security policy is that if you can show a chain of SHA-1 HMAC signatures from the certified source to whatever-it-is-you-are-running, then you are certified. We provide one mechanism to do that. You can provide others.
Note that the chain of signatures is _not_ intended to handle malicious intent. It is there to make it difficult to think you are certified when in fact you are not.
How is an HMAC-SHA1 digest a signature?
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
