On Jun 13, 2011, at 8:31 PM, Kerrick Staley wrote:
> Just to make sure that I'm understanding this, a complete PGP signature does
> not embed information about whether it is the signature of a file or the
> signature of a certificate, so it's a bad idea to sign a remotely generated
> digest?
N
On Tue, Jun 14, 2011 at 02:31, Kerrick Staley wrote:
> Just to make sure that I'm understanding this, a complete PGP signature does
> not embed information about whether it is the signature of a file or the
> signature of a certificate, so it's a bad idea to sign a remotely generated
> digest?
It
Just to make sure that I'm understanding this, a complete PGP signature does
not embed information about whether it is the signature of a file or the
signature of a certificate, so it's a bad idea to sign a remotely generated
digest?
-Kerrick Staley
On Mon, Jun 13, 2011 at 5:36 PM, Faramir wrot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 13-06-2011 11:39, Hauke Laging escribió:
...
> I would like to have the possibility to pass the hash to be signed.
I suppose if the hash is sent using a "secure" connection, it should
be safe enough. But that option, no doubt, would be an "expe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 07-06-2011 4:18, Werner Koch escribió:
...
>> Those are a lot of questions, but I'm still highly sceptical towards
>> that GPG2 monster and would prefer to stay with my more manageable
>
> It is not a moster; rthe installer is only that larger be
Am Montag, 13. Juni 2011, 22:07:07 schrieb MFPA:
> Because the signature time means nothing, unless there is
> corroboration. It is trivial to alter a system clock (or to use
> software to pass a different time to an app).
By that standards: What does a signature mean at all? As a parallel discus
>> Yes, and it is trivial to write a fake date next to my
>> signature. That doesn't mean there are no legal
>> implications. In fact, just as I can commit fraud
>> (under the right circumstances) by writing that fake
>> date on a piece of paper, I can commit fraud by using a
>> fake time-stamp in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Monday 13 June 2011 at 9:19:18 PM, in
, Jerome Baum
wrote:
> Yes, and it is trivial to write a fake date next to my
> signature. That doesn't mean there are no legal
> implications. In fact, just as I can commit fraud
> (under the right cir
>>> Some people labour under the misapprehension that the
>>> signature time is significant and has potential legal
>>> implications.
>
>> Why should that be a misapprehension?
>
> Because the signature time means nothing, unless there is
> corroboration. It is trivial to alter a system clock (or t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Sunday 12 June 2011 at 6:35:57 PM, in
, Hauke Laging
wrote:
> Am Sonntag, 12. Juni 2011, 15:23:19 schrieb MFPA:
>> Some people labour under the misapprehension that the
>> signature time is significant and has potential legal
>> implicatio
On 19 May 2011 08:59, Werner Koch wrote:
> On Thu, 19 May 2011 00:26, ventur...@gmail.com said:
>
>> for FreeBSD, the implementation of libusb has diverged/lagged (i'm not
>> sure which tbh) where anything that depends on a recent version of
>> libusb is broken on anything newer than FreeBSD 7.x,
On Jun 13, 2011, at 1:05 PM, Jerome Baum wrote:
>> We had a discussion about smart-card signatures here and basically the
>> issue with passing just a hash is that you can't distinguish data
>> signatures from certifications/key signatures.
>
> To clarify, you can't tell from the hash, and you ca
On 06/13/2011 01:05 PM, Jerome Baum wrote:
> Of course, you could solve this problem by signing with a sub-key,
> which isn't meant to certify other keys. I do wonder how e.g. PGP
> would react on seeing a key certification from a sub-key.
it should depend on whether the key usage flags for the su
> We had a discussion about smart-card signatures here and basically the
> issue with passing just a hash is that you can't distinguish data
> signatures from certifications/key signatures.
To clarify, you can't tell from the hash, and you can't really add a
packet "I'm signing data here" vs. "I'm
> I would like to have the possibility to pass the hash to be signed.
We had a discussion about smart-card signatures here and basically the
issue with passing just a hash is that you can't distinguish data
signatures from certifications/key signatures.
So, you might trust the remote server to gi
Am Montag, 13. Juni 2011, 17:15:59 schrieb Dan McGee:
> I did suggest [2] signing package hashes as one possible option
I just realize that this does not solve the "you don't know what you sign"
argument at all. Whether you sign a file or the hash of that file is usually
not a difference to the
On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch wrote:
> On Sun, 12 Jun 2011 23:15, m...@kerrickstaley.com said:
>
>> Is it possible to generate the digest for a file, and then create the
>> signature from that digest later?
>
> No, this is not possible. We once considered to implement such a
> feat
On Sun, Jun 12, 2011 at 7:54 PM, Jerome Baum wrote:
>> The databases (lists) are not very large, as far as I understand, but
>> it wasn't my call ("repositories" in the 4th line is a typo; I meant
>> "databases"). I'm not an Arch Linux developer; I'm just contributing
>> to their effort to impleme
On Sun, 12 Jun 2011 23:15, m...@kerrickstaley.com said:
> Is it possible to generate the digest for a file, and then create the
> signature from that digest later?
No, this is not possible. We once considered to implement such a
feature but dropped that plan. The technical problem is that with
19 matches
Mail list logo
