From: Peter Hanecak (hanecak@megaloman.com)
Date: Tue Nov 07 2000 - 03:52:55 EST
On Tue, 7 Nov 2000, Daniel Veillard wrote:
> Well it seems clear that keeping a small pool of "latest resolved
> signature" may seriously help performance wise since all the packages from
> a given diftribution, if signed, are likely to use the same set of keys.
> I hope taht maintaining a small LRU cache is possible (I can add this
> part).
Well, signature is not same as key. While yes, same key can be used to
sign a lot of packages, every package should have different
(uniq) signature, because signature is based on hash of package content,
which is uniq (we are not hosting say hundreds or tousands same RPM
packages are we?). So if we have say 1000 different packages in archive,
we get 1000 different signatures in LRU signature cache if we implement
it. In short: similar situation to MD5 checksum (for two uniq files it is
more probable we get same MD5 checksum than same SHA (or other) hash which
is base for PGP/GPG signature).
Regadles whether we use same or different keys to sign two different
files, if we get two same signatures, we have prove, that PGP/GPG signing
is usseless and/or have hole.
So, if we want to verify signature of package B, it does not help us, that
package A is signed with same key and we alredy verified it. (Except for
PGP/GPG when using keyserver has alredy fetched the key).
All above is based on my current understanding of hash algorithms,
cryptography and signing. And while I'm not expert I can be wrong.
Peter
-- =================================================================== Peter Hanecak <hanecak@megaloman.com> GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt ===================================================================
This archive was generated by hypermail 2b29 : Thu May 10 2001 - 18:40:13 EDT