Cryptografically signed ISO images
Valeri Galtsev
galtsev at kicp.uchicago.edu
Mon Mar 3 16:21:47 UTC 2014
On Mon, March 3, 2014 10:02 am, RW wrote:
> On Mon, 3 Mar 2014 09:50:05 -0600 (CST)
> Valeri Galtsev wrote:
>
>> The only difference I see in general between the signature and SHA-2
>> hash is in a chain of trust. The rest (assurance that what you have
>> resembles the signature in one case or SHA-2 hash in the other) is on
>> the same level of security. Chain of trust is different though: in
>> case of pgp or gpg signature you know the public key of signee from
>> some published source (i.e. you trust that source). In case of SHA-2
>> hash you have to trust the web site that provides the hashes, which
>> you accomplish by verifying that SSL Certificate the site presents is
>> signed by trusted authority and by common sense (is this site related
>> to FreeBSD thus authoritative to provide signatures or not).
>>
>> If someone sees mistake(s) in what I said, please, let me know.
>
> That's fine if you can download the checksum files by HTTPS, but on an
> FTP server it's no more that a check against corruption.
Yes, but: if you verified the certificate of https host, you can be sure
that ftp on the same IP address is owned by the same people. But I see
your point. Yet if you are that cautious, you do have the way to do it to
your satisfaction, right?
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the freebsd-questions
mailing list