[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New field proposed, UUID

* Joey Hess <joeyh@debian.org> [001129 16:17]:
> [...] sign a concacentation of their md5sums? [...]
> I don't understand how signing a uuid that is just listed in the control
> file and could be modified by anyone is cryptographically secure.

I would like to suggest that whatever signature scheme is in the works
use something stronger than md5. Problems have been found in its
compression function, and its small bit-length doesn't help much either.

Using SHA-1 or a hash based on the AES standard would give more
cryptographic confidence.

``Oh Lord; Ooh you are so big; So absolutely huge; Gosh we're all
really impressed down here, I can tell you.''

Reply to: