Re: Re: correct format for the md5 files?
On 12/8/06, Simon Willnauer [EMAIL PROTECTED] wrote: Oh by the way I do have 2 people in this room being able to find collisions to md5 within the next 15 minutes. But it is true that this is quiet hypothetical . anyway... Can they also produce a malicious distribution of solr which hashes identically? g. It _is_ a valid concern in general (I would never use md5 as a cryptographic hash, e.g., for passwords), but significantly less of a concern for this use. The most important role of the hash is to ensure no corruption occurred during transfer. cheers, -Mike
Re: Re: correct format for the md5 files?
: It _is_ a valid concern in general (I would never use md5 as a : cryptographic hash, e.g., for passwords), but significantly less of a : concern for this use. The most important role of the hash is to : ensure no corruption occurred during transfer. Bingo: We checksum the files with MD5, we sign the files with GPG -Hoss
Re: Re: correct format for the md5 files?
On 12/8/06, Chris Hostetter [EMAIL PROTECTED] wrote: : It _is_ a valid concern in general (I would never use md5 as a : cryptographic hash, e.g., for passwords), but significantly less of a : concern for this use. The most important role of the hash is to : ensure no corruption occurred during transfer. Bingo: We checksum the files with MD5, we sign the files with GPG And the standard digital signature content hash is defined to be SHA-1 AFAIK. And yes, someone has managed to find a way to get collisions in SHA1 hashes in less time than it would take to purely guess at random. But let's be serious... for our projects it's going to be far easier and cheaper to circumvent the encryption than break it. When PGP/GPG switch to a different mechanism by default, so will we. -Yonik