From owner-freebsd-ports  Tue Feb  6 16:40:57 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39])
	by hub.freebsd.org (Postfix) with ESMTP
	id 290B837B401; Tue,  6 Feb 2001 16:40:38 -0800 (PST)
Received: from nisser.com (roelof [10.0.0.2])
	by nisser.com (8.9.3/8.9.2) with ESMTP id BAA94762;
	Wed, 7 Feb 2001 01:40:16 +0100 (CET)
	(envelope-from roelof@nisser.com)
Message-ID: <3A809970.EC5D31FF@nisser.com>
Date: Wed, 07 Feb 2001 01:40:16 +0100
From: Roelof Osinga <roelof@nisser.com>
Organization: Nisser - Nr. 1 in Veiligheid
X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: Wes Peters <wes@softweyr.com>
Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	freebsd-security@FreeBSD.ORG, freebsd-ports@FreeBSD.ORG
Subject: Re: Package integrity check?
References: <20010205210459.A2479@acc.umu.se>
			<3A7F9AB6.5CAA983B@softweyr.com> <200102061526.KAA31832@khavrinen.lcs.mit.edu> <3A802FAF.792F61F5@softweyr.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Wes Peters wrote:
> 
> ...
> That's pretty much at the discretion of the parties signing and verifying
> the packages.  One of the signatures is a simple SHA1 crypto checksum,
> that implies little other than you got what the package creator put
> together to a fair degree of certainty.

That - 'simple' - was not my impression. I 'needed' to implement
both MD-4/5 and SHA-1 in Delphi a while ago and the thing that
struck me from the FIPS notes was that it claimed - hah, here's the
print-out - the following properties: "it is computationally 
infeasible to find a message which corresponds to a given MD,
or to find two different messages which produce the same MD."

That's pretty plain language. It does not say "it is CURRENTLY...".
Nope. Just that it is infeasible. Then again, I'm neither a
lawyer nor a cryptologist so...

> ...
>             "Where am I, and what am I doing in this handbasket?"

I dunno. Are those snoring noses coincedential?

Roelof

-- 
Home is where the (@) http://eboa.com/ is.
Nisser home -- http://www.Nisser.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message