Re: Lack of PGP signatures
Mark M. <markm@voicenet.com> wrote:
I didn't say that binaries couldn't be signed. I said they couldn't be *clear*-signed. There is a difference between clearsigning and creating a signature certificate that is either concatenated with the data or written to a separate file. If somebody who doesn't have PGP gets a file that is signed by PGP, the file is completely useless to that person.
My mistake. I guess I still don't understand your point however. Of what use is a signature on a file to someone who cannot check its validity? It seems to me that a separate signature file for a binary would serve the same purpose ("gee, it LOOKS like somebody signed it"). Clay *************************************************************************** Clay Olbon II * Clay.Olbon@dynetics.com Systems Engineer * PGP262 public key on web page Dynetics, Inc. * http://www.msen.com/~olbon/olbon.html ***************************************************************** TANSTAAFL
-----BEGIN PGP SIGNED MESSAGE----- On 5 Jul 1996, Clay Olbon II wrote:
Mark M. <markm@voicenet.com> wrote:
I didn't say that binaries couldn't be signed. I said they couldn't be *clear*-signed. There is a difference between clearsigning and creating a signature certificate that is either concatenated with the data or written to a separate file. If somebody who doesn't have PGP gets a file that is signed by PGP, the file is completely useless to that person.
My mistake. I guess I still don't understand your point however. Of what use is a signature on a file to someone who cannot check its validity? It seems to me that a separate signature file for a binary would serve the same purpose ("gee, it LOOKS like somebody signed it").
A signature is of absolutely no use to someone who doesn't have PGP. However, somebody who doesn't have PGP can still read this message I am writting right now. That is why clear-signing is a Good Thing. You are correct that a separate signature file for a binary is just about the same as a clear-signed message.(In fact they are the same thing. The only difference is that a signature of text that is going to be clear-signed is calculated over the text with CRLF's and dashes and "From_"'s escaped out. The "PGP SIGNATURE" part is exactly the same as a seperate signature's "PGP MESSAGE".) OK, now the point of this message: somebody pointed out that if a binary was clear-signed using an option that would strip it down to 7 bits, the binary would be corrupted and therefore, such an option on PGP would be a Bad Thing. Then, I pointed out that not only would there be no point in a clear signature, since that would make the binary useless to someone without PGP anyway. It is best to sign a binary and extract the certificate to a separate file, which you noted above. So an option that would strip data down to 7 bits would not affect the ability to sign a binary. Such an option would probably be a Good Thing. All this is giving me a severe headache. Please excuse any run-on sentences. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMd1hMLZc+sv5siulAQHChQP/faS+DKcGht/SxCB+N0UlunSGcAcgUGaw hX/3qB4pzqwBfCoT6GsMdiQ+wJsSBs7cYm3NMEcPQHNj08cc8Vt5G7lmegjKdhcM hZBbpscafAnXf/+OcXp8KUIUbGWxEviyKfSskKoQC2IU9m607TRxMG45QHQr59Fc MEweGyt4Jsk= =TvfP -----END PGP SIGNATURE-----
participants (2)
-
Clay Olbon II -
Mark M.