> for a data sig (based on a previous discussion the hash is prefixed
(referring to the data that is hashed, and emphasis on prefixed vs. postfixed)
--
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PG
>> Does the (mathematical) signature differ between data sigs and certs
>> in any way besides the varying hash?
>
> Does that matter and why?
If only the hash varies, you need the data to be sure that the hash is
for a data sig (based on a previous discussion the hash is prefixed
with the "data vs
Am Dienstag, 14. Juni 2011, 13:51:10 schrieb Jerome Baum:
> Does the (mathematical) signature differ between data sigs and certs
> in any way besides the varying hash?
Does that matter and why?
Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
signature.asc
Description: This is
> No, it's the other way. A PGP signature does embed information about all
> sorts of things, including whether it is the signature of a file or signature
> over a certificate.
I think it really boils down to "the details are significant". It's
not really the signature packet that is relevant,
On Jun 13, 2011, at 8:31 PM, Kerrick Staley wrote:
> Just to make sure that I'm understanding this, a complete PGP signature does
> not embed information about whether it is the signature of a file or the
> signature of a certificate, so it's a bad idea to sign a remotely generated
> digest?
N
On Tue, Jun 14, 2011 at 02:31, Kerrick Staley wrote:
> Just to make sure that I'm understanding this, a complete PGP signature does
> not embed information about whether it is the signature of a file or the
> signature of a certificate, so it's a bad idea to sign a remotely generated
> digest?
It
Just to make sure that I'm understanding this, a complete PGP signature does
not embed information about whether it is the signature of a file or the
signature of a certificate, so it's a bad idea to sign a remotely generated
digest?
-Kerrick Staley
On Mon, Jun 13, 2011 at 5:36 PM, Faramir wrot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 13-06-2011 11:39, Hauke Laging escribió:
...
> I would like to have the possibility to pass the hash to be signed.
I suppose if the hash is sent using a "secure" connection, it should
be safe enough. But that option, no doubt, would be an "expe
On Jun 13, 2011, at 1:05 PM, Jerome Baum wrote:
>> We had a discussion about smart-card signatures here and basically the
>> issue with passing just a hash is that you can't distinguish data
>> signatures from certifications/key signatures.
>
> To clarify, you can't tell from the hash, and you ca
On 06/13/2011 01:05 PM, Jerome Baum wrote:
> Of course, you could solve this problem by signing with a sub-key,
> which isn't meant to certify other keys. I do wonder how e.g. PGP
> would react on seeing a key certification from a sub-key.
it should depend on whether the key usage flags for the su
> We had a discussion about smart-card signatures here and basically the
> issue with passing just a hash is that you can't distinguish data
> signatures from certifications/key signatures.
To clarify, you can't tell from the hash, and you can't really add a
packet "I'm signing data here" vs. "I'm
> I would like to have the possibility to pass the hash to be signed.
We had a discussion about smart-card signatures here and basically the
issue with passing just a hash is that you can't distinguish data
signatures from certifications/key signatures.
So, you might trust the remote server to gi
Am Montag, 13. Juni 2011, 17:15:59 schrieb Dan McGee:
> I did suggest [2] signing package hashes as one possible option
I just realize that this does not solve the "you don't know what you sign"
argument at all. Whether you sign a file or the hash of that file is usually
not a difference to the
On Mon, Jun 13, 2011 at 3:47 AM, Werner Koch wrote:
> On Sun, 12 Jun 2011 23:15, m...@kerrickstaley.com said:
>
>> Is it possible to generate the digest for a file, and then create the
>> signature from that digest later?
>
> No, this is not possible. We once considered to implement such a
> feat
On Sun, Jun 12, 2011 at 7:54 PM, Jerome Baum wrote:
>> The databases (lists) are not very large, as far as I understand, but
>> it wasn't my call ("repositories" in the 4th line is a typo; I meant
>> "databases"). I'm not an Arch Linux developer; I'm just contributing
>> to their effort to impleme
On Sun, 12 Jun 2011 23:15, m...@kerrickstaley.com said:
> Is it possible to generate the digest for a file, and then create the
> signature from that digest later?
No, this is not possible. We once considered to implement such a
feature but dropped that plan. The technical problem is that with
> The databases (lists) are not very large, as far as I understand, but
> it wasn't my call ("repositories" in the 4th line is a typo; I meant
> "databases"). I'm not an Arch Linux developer; I'm just contributing
> to their effort to implement package signing.
> Individual packages will be signed
>> Given this line from the original post, "developers for the Arch Linux
>> distribution need a way to sign databases (lists of software packages)
>> on the central repository (package server) without having to copy those
>> repositories to their local computer and back" I'm guessing that it'd be
>> In any case, what kind of database is this that it's too much of a
>> hassle to copy over? What size, etc.?
> Given this line from the original post, "developers for the Arch Linux
> distribution need a way to sign databases (lists of software packages)
> on the central repository (package serv
On 13/06/11 9:16 AM, Jerome Baum wrote:
>
> Who makes these considerations?
>
> In any case, what kind of database is this that it's too much of a
> hassle to copy over? What size, etc.?
Given this line from the original post, "developers for the Arch Linux
distribution need a way to sign databa
On Sun, Jun 12, 2011 at 23:15, Kerrick Staley wrote:
> Is it possible to generate the digest for a file, and then create the
> signature from that digest later?
Problem is, you don't know what you're signing.
--
Jerome Baum
tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
>> > Is it possible to generate the digest for a file, and then create the
>> > signature from that digest later?
>> Problem is, you don't know what you're signing.
> I realize that this is a problem; however, it considered to be an
> acceptable risk. The same problem happens if the developers si
On Sun, Jun 12, 2011 at 5:37 PM, Jerome Baum wrote:
>
> On Sun, Jun 12, 2011 at 23:15, Kerrick Staley wrote:
> > Is it possible to generate the digest for a file, and then create the
> > signature from that digest later?
>
> Problem is, you don't know what you're signing.
I realize that this is
Hello,
Is it possible to generate the digest for a file, and then create the
signature from that digest later?
I'm making this inquiry because developers for the Arch Linux distribution
need a way to sign databases (lists of software packages) on the central
repository (package server) without hav
24 matches
Mail list logo
