Far better to use public-key signatures
Posted Dec 20, 2007 5:39 UTC (Thu) by khim
Parent article: The backdooring of SquirrelMail
I can only say "huh?". It's certainly true that public-key signatures are impossible to replace if you don't have access to private key. It's very much not true that they have a longer shelf life! If you'll try to sign multi megabyte archive by using RSA or DSS directly process will take minutes if not hours and the check will be just as slow - thus ALL public-key cryptography depends on "normal" hashes (usually SHA1 today) in practice! Of course if MD5 or SHA1 is broken public-key signing scheme based on MD5 or SHA1 is broken as well...
to post comments)