* Joey Hess <[EMAIL PROTECTED]> [001129 16:17]: > [...] sign a concacentation of their md5sums? [...] > I don't understand how signing a uuid that is just listed in the control > file and could be modified by anyone is cryptographically secure.
I would like to suggest that whatever signature scheme is in the works use something stronger than md5. Problems have been found in its compression function, and its small bit-length doesn't help much either. Using SHA-1 or a hash based on the AES standard would give more cryptographic confidence. -- ``Oh Lord; Ooh you are so big; So absolutely huge; Gosh we're all really impressed down here, I can tell you.''
