Re: gsu (Was Re: More Political Stuff)



> Sean Middleditch wrote:
> > > On Wed, 30 Aug 2000, Sean Middleditch wrote:
> > >
> > > Digital signatures are computed from the checksum of the file and a
> > > private key in such a way that to check the authenticity of the key, only
> > > a publicly available key is required, but to generate the key, a secret
> > > key is required.  To 'just copy the signature..' you would need to be able
> > > to break a scheme like RSA.
> > 
> > .... So the entire message is encoded, or is merely an additional
> > signature added to a message/data?  I think perhaps I've gotten a
> > mis-representation of the storage mechanism used here... (nothing new, I
> > might add  ~,^  )
> > 
> 
> Ok, just to try and clarify, you compute a Message Digest (ie a checksum, a
> hash) over the data (email message, tarball etc), knowing that it is
> computationally infeasible to generate another piece of data which computes to
> the same Message Digest.  For this you use something like MD5, or even better
> SHA-1.
> 
> You then sign the Message Digest using an asymmetric key, that is with your
> private key, so that anyone with access to your public key can extract the hash,
> verify the contents of the data by computing the hash over the message
> themselves and comparing it to the hash extracted using the public key.  That
> way they know that you provided the hash to the data, and that no-one has
> modified it since.  Asymmetric key cryptography is most commonly called Public
> Key cryptography, and you use algorithms like RSA or DSA.
> 
> Hope my chicken scratchings clarify rather than confuse,
> 


Ah, I get it.  So the only way the signature could be copied and used is
to send the exact same message, without modifications, which really
wouldn't make much difference then, right?

OK Then.  Well, ok, about Themes again then, why can't we use those to
ensure safety of themes?  I special file like 'key' or something that's
made a signature with a hash of the theme file tree and contents, or
whatnot...

Then perhaps store a list of entrusted keys.  If a theme is selected to
run that has never been used before, check the key.  Give a warning if
there is no key.  Otherwise, check the OK keys list.  If the signature
doesn't match, then a give a warning.  Possibly, for unknown signatures,
have a secured way of storing information like name or something, or
perhaps an on-line database, to look up and see who the key belongs to,
if its valid, etc.

Or something.

No?

Sean Etc.

> -- 
> Michael Davies                     "I can't remember 
> mailto:michaeld@senet.com.au        if I cried,  when I
> http://www.senet.com.au/~michaeld   read about Windows95"
> 
> 
> -------------------------------------------
> This message was sent using SE Net Webmail.
> http://webmail.senet.com.au/
> 
> 






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]