On Mon, Mar 08, 1999 at 11:35:27PM +0100, Erwann ABALEA wrote:
> On Mon, 8 Mar 1999, J. Andres Hall wrote:
>
> > >> Not much of one, of course, since whoever modified it could also modify
> > >> the MD5!
> > >
> > >Correct, the MD5 is actually intended to just let people quicky check wheter
> > >some download/transfer errors occured. For real guarantee we should sign it
> > >via PGP.
> > > Ralf S. Engelschall
> >
> >
> > Why would you use PGP to sign the source of an X.509-capable Package?
>
> Maybe because OpenSSL is full of backdoors and the core team don't trust
> it??? ;-)
:-)
>
> Just kidding...
>
> Anyway, that's a good question, there's a real need to perform PKCS#7
> signing, or S/MIME signing... or anything that could be useful in this
> sense...
I agree. MD5 check shouldn't be taken for more than it is ! I'd rather go
for PGP or why not (?) its Gnu equivalent.
Cheers
mh
>
> --
> Erwann ABALEA
> System and Development Engineer - Certplus SA
> [EMAIL PROTECTED]
> - RSA PGP Key ID: 0x2D0EABD5 -
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Michael Hallgren, Graphnet Systems, http://mh.graphnet.fr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
