From owner-freebsd-questions@FreeBSD.ORG Mon Mar 3 16:21:47 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3B58A515 for ; Mon, 3 Mar 2014 16:21:47 +0000 (UTC) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 119D1B52 for ; Mon, 3 Mar 2014 16:21:46 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 82B52CB8C98; Mon, 3 Mar 2014 10:21:46 -0600 (CST) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Mon, 3 Mar 2014 10:21:46 -0600 (CST) Message-ID: <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> In-Reply-To: <20140303160218.072db3fe@gumby.homeunix.com> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> <20140303160218.072db3fe@gumby.homeunix.com> Date: Mon, 3 Mar 2014 10:21:46 -0600 (CST) Subject: Re: Cryptografically signed ISO images From: "Valeri Galtsev" To: "RW" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 16:21:47 -0000 On Mon, March 3, 2014 10:02 am, RW wrote: > On Mon, 3 Mar 2014 09:50:05 -0600 (CST) > Valeri Galtsev wrote: > >> The only difference I see in general between the signature and SHA-2 >> hash is in a chain of trust. The rest (assurance that what you have >> resembles the signature in one case or SHA-2 hash in the other) is on >> the same level of security. Chain of trust is different though: in >> case of pgp or gpg signature you know the public key of signee from >> some published source (i.e. you trust that source). In case of SHA-2 >> hash you have to trust the web site that provides the hashes, which >> you accomplish by verifying that SSL Certificate the site presents is >> signed by trusted authority and by common sense (is this site related >> to FreeBSD thus authoritative to provide signatures or not). >> >> If someone sees mistake(s) in what I said, please, let me know. > > That's fine if you can download the checksum files by HTTPS, but on an > FTP server it's no more that a check against corruption. Yes, but: if you verified the certificate of https host, you can be sure that ftp on the same IP address is owned by the same people. But I see your point. Yet if you are that cautious, you do have the way to do it to your satisfaction, right? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++