Re: Archive signatures versus message digests

On Thu, Dec 15, 2011 at 04:51:02PM +0100, Guido Trentalancia wrote:
> Also consider that Redhat, being a supplier of systems to the US
> government, might have legal obligations towards it to use NSA or at
> least NIST certified cryptographic equipment instead of uncertified
> open-source software such as gpg ( that I had proposed to
> you as an initial affordable solution fit for purpose of many home users
> provided that gpg is in turn secure and provided that the algorithms
> being used are secure enough.

Why does it matter what Red Hat legal obligations are? I say it once
again: SHA256 is not there to provide security. GPG might be nice, not
doing it at the moment, will be done at some point in future.

> But if you really never heard anything like this before, then a good
> introductory article for the general public is the following one:
> Of course other algorithms can be invented and created if those provided
> at no cost by gpg do not suit your taste or if you can prove that they
> are faulty or too weak.

I suggest looking into practical security instead of your theoretical
stuff. Yeah GPG might have some added value. Practically speaking, with
the current infrastructure at GNOME, it will provide a _false_ sense of

Please read to see how I work on
security. Fixing the bigger problems, instead of minor things like GPG
while leaving a big gaping door open.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]