Re: New field proposed, UUID
* Joey Hess <firstname.lastname@example.org> [001129 16:17]:
> [...] sign a concacentation of their md5sums? [...]
> I don't understand how signing a uuid that is just listed in the control
> file and could be modified by anyone is cryptographically secure.
I would like to suggest that whatever signature scheme is in the works
use something stronger than md5. Problems have been found in its
compression function, and its small bit-length doesn't help much either.
Using SHA-1 or a hash based on the AES standard would give more
``Oh Lord; Ooh you are so big; So absolutely huge; Gosh we're all
really impressed down here, I can tell you.''