On Tue, 2003-02-04 at 16:13, Kurt Roeckx wrote: > On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote: > > > > Even improperly used, digital signatures should never be worse than > > simple checksums. Having said that, anyone that is trusting checksums > > as a form of authenticity validation is begging for trouble. > > Should I point out that a "fingerprint" is nothing more than a > hash? >
You seem to not understand the part where I said, "in of themselves." Security is certainly an area of expertise where the devil is in the details. One minor detail can greatly effect the entire picture. You're simply ignoring all the details and looking for obtuse parallels. Continue to do so all you like. It still doesn't effectively and reliably address security in the slightest. > > Checksums are not, in of themselves, a security mechanism. > > So a figerprint and all the hash/digest function have no purpose > at all? > This is just getting silly and bordering on insulting. If you have meaningful comments, please offer them up. Until such time, I have no further comments for you. Obviously, a fingerprint is derivative piece of information which, in of it self, does not validate anything. Thusly, the primary supporting concept is the "web of trust", associated process and built in mechanisms to help ensure it all makes sense and maintained in proper context. Something that a simple MD5 checksum does not provide for. Not in the least. A checksum or hash only allows for comparisons between two copies to establish they are the same or different. It, alone, can never reliably be a source of authentication and validation. A checksum or hash, alone, says nothing about who created it, where it came from, how old it is, or whom is available to readily and authoritatively assist in validation of the checksummed (or hashed) entity or the person who created it. I do agree that a checksum (or hash) is better than nothing, however, a serious security solution it is not. Period. Feel free to be lulled into complacent comfort. In the mean time, I'll choose a system which actually has a chance at working. Regards, -- Greg Copeland <[EMAIL PROTECTED]> Copeland Computer Consulting ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
