Re: PGP signing releases

On Tue, Feb 04, 2003 at 02:04:01PM -0600, Greg Copeland wrote:
> 
> Even improperly used, digital signatures should never be worse than
> simple checksums.  Having said that, anyone that is trusting checksums
> as a form of authenticity validation is begging for trouble.

Should I point out that a "fingerprint" is nothing more than a
hash?

> Checksums are not, in of themselves, a security mechanism.

So a figerprint and all the hash/digest function have no purpose
at all?

> There really isn't any comparison here.

I didn't say you could compare the security offered by both of
them.  All I said was that md5 also makes sense from a security
point of view.


Should I also point out that md5 really isn't a "checksum",
it's a digest or hash.  I have to agree that a real checksum,
where you just add all the bytes, offers no protection.


Kurt