Re: New field proposed, UUID
On Wed, Nov 29, 2000 at 04:14:25PM -0800, Joey Hess wrote:
> If I understand right, Ben wants something unique that can be signed
> for some secrit package signing scheme. Assuming the sig goes in a
> component after control.tar.gz and data.tar.gz, why can't is just sign
> a concacentation of their md5sums?
>
> I don't understand how signing a uuid that is just listed in the control
> file and could be modified by anyone is cryptographically secure.
>
> Must be missing something.
The UUID means nothing for security, it is there for uniquely identifying
a package. The UUID itself proves nothing, and the security model I am
talking about does not use it for verification. It is meant to say
"package xxx-xxx-xxx-xxx-xxxxxxxx is what we are talking about".
So you are just reading more into this than is meant to be :)
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: