Date: Mon, 3 Mar 2014 16:02:18 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: Cryptografically signed ISO images Message-ID: <20140303160218.072db3fe@gumby.homeunix.com> In-Reply-To: <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Mar 2014 09:50:05 -0600 (CST) Valeri Galtsev wrote: > The only difference I see in general between the signature and SHA-2 > hash is in a chain of trust. The rest (assurance that what you have > resembles the signature in one case or SHA-2 hash in the other) is on > the same level of security. Chain of trust is different though: in > case of pgp or gpg signature you know the public key of signee from > some published source (i.e. you trust that source). In case of SHA-2 > hash you have to trust the web site that provides the hashes, which > you accomplish by verifying that SSL Certificate the site presents is > signed by trusted authority and by common sense (is this site related > to FreeBSD thus authoritative to provide signatures or not). > > If someone sees mistake(s) in what I said, please, let me know. That's fine if you can download the checksum files by HTTPS, but on an FTP server it's no more that a check against corruption.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140303160218.072db3fe>