Re: PGP signing releases

On Mon, 2003-02-03 at 13:55, Kurt Roeckx wrote:
> On Mon, Feb 03, 2003 at 12:24:14PM -0600, Greg Copeland wrote:
> > On Sun, 2003-02-02 at 20:23, Marc G. Fournier wrote:
> >
> > > right, that is why we started to provide md5 checksums ...
> >
> > md5 checksums only validate that the intended package (trojaned or
> > legit) has been properly received. They offer nothing from a security
> > perspective unless the checksums have been signed with a key which can
> > be readily validated from multiple independent sources.
>
> If you can get the md5 sum of "multiple independent sources",
> it's about the same thing. It all depends on how much you trust
> those sources.
>
> I'm not saying md5 is as secure as pgp, not at all, but you can't
> trust those pgp keys to be the real one either.

No, that is not the same thing at all. PKI specifically allows for "web
of trust". Nothing about md5 checksums allows for this. As such,
chances are, if a set of md5 checksums have been forged, they will be
propagated and presented as being valid even though they are not.

I'll say this again. Checksums alone offers zero security protection.
It was never intended to address that purpose. As such, it does not
address it. If you need security, use a security product. Checksums
ONLY purpose is to ensure copy propagation validation. It does not
address certification of authenticity in any shape or form.

As for trusting the validity of the keys contained within a PKI, that's
where the whole concept of "web of trust" comes into being. You can
ignore it and not benefit or you can embrace it, as people are
advocating, and leverage it.

Validation of keys can be as simple as snail-mail, phone calls, and
fingerprint validation. It's that simple. It's why fingerprints exist
in the first place.

Regards,

--
Greg Copeland <greg(at)copelandconsulting(dot)net>
Copeland Computer Consulting