[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New field proposed, UUID

On Wed, Nov 29, 2000 at 04:14:25PM -0800, Joey Hess wrote:
> If I understand right, Ben wants something unique that can be signed
> for some secrit package signing scheme. Assuming the sig goes in a
> component after control.tar.gz and data.tar.gz, why can't is just sign
> a concacentation of their md5sums?
> I don't understand how signing a uuid that is just listed in the control
> file and could be modified by anyone is cryptographically secure.
> Must be missing something.

The UUID means nothing for security, it is there for uniquely identifying
a package. The UUID itself proves nothing, and the security model I am
talking about does not use it for verification. It is meant to say
"package xxx-xxx-xxx-xxx-xxxxxxxx is what we are talking about".

So you are just reading more into this than is meant to be :)

/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: