SHA-1 will guard against inadvertent errors: comm errors, truncated files, that sort of thing. As John says, it cannot be considered secure against willful and skilled tampering.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Eells Sent: Monday, April 2, 2018 12:50 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Software Delivery on Tape to be Discontinued Paul Gilmartin wrote: <snip> > Can the HMC be configured, then, as an FTP server usable for RECEIVE > FROMNETWORK given suitable SMPSRVR definition, and is the DVD in > GIMZIPped format? If all these are true, then SMP/E can do it all in > one RECEIVE step, as Ed hopes. Has IBM done PoC? > > GIMZIP format is protected by SHA-1 checksums. These might be > delivered via an independent secure channel (voice phone call?) So, not necessarily in the order these things have come up: - SHA-1 checksums used by GIMZIP/GIMUNZIP/GIMGTPKG were not intended to be regarded as secure signatures. IBM packages cannot really be described as "signed." Also, NIST has deprecated SHA-1 for such a purpose for some time. Whether the SHA-1 hash value used to verify a package's integrity is just the one that comes with it or whether it's verfied by telephone, Registered Mail, or carrier pigeon truly matters not from a security point of view. SSL is more reliable for that purpose, as someone else suggested in this thread. The combination of SHA-1 for integrity and SSL for connection verification seems reasonably secure to yours truly, but I am not security guy so take my opinion for what it's worth. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
