On Apr 4, 2013, at 11:15 AM, Tristan Seligmann <mithra...@mithrandi.net> wrote:
> In fact, I believe there is no such thing as "signing the whole binary blob".
> When you use something like gpg --sign, what is actually signed with a public
> key signature algorithm is a hash of the content anyway. Thus, assuming you
> use the same hash algorithm as you would have instructed gpg to use (I think
> the default is SHA512 these days), there isn't any real difference between
> signing the content directly, and signing a hash of the content.
This is my understanding as well; however, when I'm making potentially
security-critical claims I try to be circumspect in describing systems I don't
fully understand :).
-g
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
