Prev: Server and Client Analogy � The New Cryptography Model
Next: Password fields should not be interrupted by (messaging) pop-ups...
From: yawnmoth on 11 Mar 2010 11:36
On Mar 10, 7:52 pm, unruh <un...(a)wormhole.physics.ubc.ca> wrote:
> On 2010-03-11, Joseph Ashwood <ashw...(a)msn.com> wrote:
>
> > "yawnmoth" <terra1...(a)yahoo.com> wrote in message
> >news:b23c56c2-0e77-4533-a2b3-ec41a5524df7(a)e1g2000yqh.googlegroups.com...
> >> Say you wanted to make a release of some software package with a
> >> signature to verify that it was you who made the release.  PGP has a
> >> signature format that can be used to do this, as described at <http://
> >> httpd.apache.org/dev/verification.html> but what other formats are
> >> there?
>
> There are three requirements of a signature for a release.
> a) A cyptographic hash of the thing being released. This is to ensure
> that someone else cannot change the object while maintaining the same
> hash.
> b)A way to deliver that hash so that the recipient is relatively sure
> that it is actually the hash as calculated by the person who released
> the object. This could be via a public key delivery system with some way
> of ensuring that the public key is actually the same as teh public key
> of the releaser, or it could be via delivery of the hash via some other
> mechanism that makes the recipient sure that it came from the releaser.
> c) A way of checking the hash on the object with that hash from the
> releaser.
>
> PGP delivers one way, the key being that one can fulfil b)-- making the
> recipient sure that the hash is that computed by the releaser. This
> means that there must be some way of securely identifying the releaser
> and getting the hash from the releaser.In this case, getting the public
> key of the releaser ( and being sure that this has not been replaced by
> that of the attacker) PGP has a whole mechanism for trying to ensure
> that the public key actually is that of the releaser (Web of trust,
> Signing authorities,...)

I wasn't asking how signatures work... I was asking what formats are
widely supported.

Like I said in my post, I can base64 encode an RSASSA-PSS signature
but if there aren't any widely deployed CLI tools to verify such
signatures, is that really the best format to use?

It's like... XML / XSL / and all the other associated XML
technologies are neat more because of how widely supported they are
than anything else. Certainly you could create your own custom
formats but then you'd have to write all the additional software
yourself.
First  |  Prev  | 
Pages: 1 2
Prev: Server and Client Analogy � The New Cryptography Model
Next: Password fields should not be interrupted by (messaging) pop-ups...