Michael Sierchio wrote:
Ben Laurie wrote:
My understanding is that our security policy is that if you can show a chain of SHA-1 HMAC signatures from the certified source to whatever-it-is-you-are-running, then you are certified. We provide one mechanism to do that. You can provide others.
Note that the chain of signatures is _not_ intended to handle malicious intent. It is there to make it difficult to think you are certified when in fact you are not.
How is an HMAC-SHA1 digest a signature?
OK, that's not exactly the right word. Its an integrity check.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
