httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Helmut K. C. Tessarek" <tessa...@evermeet.cx>
Subject Re: SHA-256
Date Sat, 25 Feb 2017 05:59:49 GMT
Thank you for the response.

On 2017-02-24 23:45, William A Rowe Jr wrote:
> They are useful for file completeness/error checking only. I'd agree 
> there is zero purpose in retaining SHA1 when SHA256 is in place.

Unfortunately a lot of people do not know this. They compare the hashes
instead, either because they don't understand the background, don't have
gpg installed, or think checking the hashes is the same as verifying a
signature.

> And SHA256 is a means to authenticate how, exactly?
> 
> We provide .asc pgp signatures exclusively for that purpose.

I agree, gpg is the only way to check the authenticity of a file.

However, people who use hashes to do this (for reasons I previously
mentioned) are in a lot safer spot, because it's most likely impossible
for an adversary to create a collision.

I just didn't understand why there would be a reason for other hashes,
if there was as sha-256 hash available. Even on legacy systems I've seen
implementations for sha256.

Thanks again for your answer.

Cheers,
  K. C.

-- 
regards Helmut K. C. Tessarek
lookup http://pool.sks-keyservers.net for KeyID 0xC11F128D

/*
   Thou shalt not follow the NULL pointer for chaos and madness
   await thee at its end.
*/

Mime
View raw message