security projects thoughts
Daniel J. Luke
dluke at geeklair.net
Mon Apr 18 09:45:15 PDT 2011
On Apr 18, 2011, at 12:36 PM, Jeff Johnson wrote:
>
> And a generated keypair with the private key discarded and
> the public key registered with time stamp differs ... how?
Where is the public key registered? Does the end-user installer do something like:
1. Check that the public key in the package matches the registration (presumably in a way that isn't easy to spoof)
2. Validate the package contents via the signature and the registered public key
?
I think I missed the description of the public key registration, but it seems like that's an important part (which makes it more than 'just a larger hash').
--
Daniel J. Luke
+========================================================+
| *---------------- dluke at geeklair.net ----------------* |
| *-------------- http://www.geeklair.net -------------* |
+========================================================+
| Opinions expressed are mine and do not necessarily |
| reflect the opinions of my employer. |
+========================================================+
More information about the macports-dev
mailing list