ATT: svn.kde.org has been updated

Ruediger Ranft rranft1 at HTWM.De
Wed Apr 13 06:48:25 BST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Dienstag, 12. April 2005 12:01 schrieb kde-core-devel-request at kde.org:

| I mean did anybody of you
| doing cvs via ssh verify that you were really talking to the right ssh
| server or did you simply accept the ssh server's certificate? And
| everybody else used the cvs server without having any possibility to
| check the authenticity of the server.

Are the keys of the servers anywhere outside for verification? I never
noticed any key fingerprint for any ssh server.

BTW: I'ts true that SHA1 has been weaked the last days, but MD5 is
(currently) the more worse security hole, because it is possible to
calculate collisions to given data blocks without solving the birthday
attack (and they could be hidden in some certificate extensions, so they
aren't visible when you don't explicitly tell your client to show every
cert detail). And 'till the public aviliable client software understands
better hases like RMD160 or SHA2-256 SHA1 is still the best solution as
hash algorithm (sic).

bye
Rudi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCXLKp2uN2FDAGnxwRApSVAJ0SbBFXy7i4wmbSQg3CV4XSMjk32gCgjbuB
et0oduMmjarocQJEVXZtCGw=
=cP9i
-----END PGP SIGNATURE-----




More information about the kde-core-devel mailing list