httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Marr <>
Subject RE: Tagging 2.0.17 in a few...
Date Tue, 17 Apr 2001 21:06:44 GMT
At 04:46 PM 04/17/2001, wrote:
>Well, it probably should be signed.  The public key can then be 
>grabbed from the issuer to verify authenticity.  I don't think that 
>(I assume they're public) keys should present any security problem 
>as long as the key matches the official public key.

The point was that verifying a distribution's signature against a 
public key contained in the distribution is pointless.  At that 
point, you may as well not have had it signed in the first place, 
since if someone made their own distribution, they could have put the 
key they were going to use in the distribution.

Greg Marr
"We thought you were dead."
"I was, but I'm better now." - Sheridan, "The Summoning"

View raw message