Crypographically Strong Software Distribution HOWTO
V. Alex Brennen
vab at cryptnet.net
Mon Jul 2 22:52:08 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 2 Jul 2001, Rich Salz wrote:
> Seems pretty nice; thanks for doing this.
Thanks. Unfortunately, I'm afraid it's of little value if projects
do not adopt it.
> Any chance of using SHA1 instead of MD5? MD5 seems to have weaknesses;
> the IETF says not to use it in their protocols, for example.
My apologies, the suggested use of SHA1 was my intention. I'll
make my self more clear.
I used MD5 as an example in section 1.2, which explains concepts,
due to its wide spread use by Linux distributors such as Red Hat
and Mandrake and other free software projects. However, in
section 2.1 (the establishment instructions) I clearly state
that "I strongly suggest that you revoke any version 2 or
version 3 public keys and replace them with version 4 keys
unless you have good reason not to do so." Since this HOWTO
is written for GnuPG on Linux which uses SHA1 by default in
version 4 keys, I thought my suggestion to use a version 4
key was a sufficient statement in support of SHA1 over MD5. I
wanted to leave room for people who wanted to use MD5,
despite its potential weaknesses, in the event that they had
concerns about SHA1 being a government algorithm. This was
poor judgment.
Thanks again for the suggestion. I should have been more clear.
I'll include a statement about the potential weaknesses of MD5
in the next version of the HOWTO and a deprecation of MD5 in
the Strong Distribution Model and Guerrilla Development Model.
I'll release that version once I compile the feedback on the
current version.
I appreciate the feedback. This is part of a rather large
and ambitious project on my part to decentralize software
distribution. I'm working to build the infrastructure
necessary to provide the free software community with a
solid PGP framework to build upon.
Strong Distribution HOWTO (Cryptographic Signatures)
http://www.cryptnet.net/fdp/crypto/strong_distro.html
GnuPG Keysigning Party HOWTO (Web Of Trust)
http://www.cryptnet.net/fdp/crypto/gpg-party.html
CryptNET Keyserver (Keyserver optimized for Web Of Trust evaluation)
http://www.cryptnet.net/fsp/cks/
(Very early alpha - 1.0.0 release planned in about three weeks)
CryptNET Keyserver Network (Keyservers to distribute public keys)
http://keyserver.cryptnet.net/
Free Software P2P Network [FSPN] (P2P Network for software distribution)
http://fspn.cryptnet.net/
I'm working on a bunch of other code to produce infrastructure
as well. My goal is to have 40% of the major free software
projects cryptographically protected by the end of the year.
The compromise of the Apache server is what, in part, motivated
me to do this.
- VAB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQE7QTNh+pIJc5kqSz8RAq5HAJ4hPXL0lzKfP6OUaFLTJNqHABgQhwCfaohV
LZIhKKhjA9haDYQ52HIpbN4=
=a3mP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list