1 |
On Fri, 18 Nov 2005 22:01:27 -0800 "Robin H. Johnson" |
2 |
<robbat2@g.o> wrote: |
3 |
| First, the blatantly obvious, for the benefit of same developers, even |
4 |
| though it's not relevant to signing. It is still a weak-point and does |
5 |
| need to be addressed. Multiple-hashes! |
6 |
|
7 |
There is no proof that multiple hashes gives you any security beyond |
8 |
the strength of the single most secure hash algorithm. If you have two |
9 |
signatures, one of which gives you an effective strength of 100 bits |
10 |
and the other of which gives you an effective strength of 80 bits, the |
11 |
overall effective strength is not 180 bits. |
12 |
|
13 |
See, this is why you need to be careful. Some things that you'd think |
14 |
were 'obvious' probably aren't actually true... |
15 |
|
16 |
-- |
17 |
Ciaran McCreesh : Gentoo Developer (Look! Shiny things!) |
18 |
Mail : ciaranm at gentoo.org |
19 |
Web : http://dev.gentoo.org/~ciaranm |