[Mac_crypto] Apple should use SHA! (or stronger) to authenticate software releases

Vinnie Moscaritolo mac_crypto@vmeng.com
Mon, 5 Apr 2004 08:10:26 -0800

one more thing for all it's worth.. MD5 is not a FIPS-140-2  approved 
http://csrc.nist.gov/cryptval/   this would technically prevent osx 
from being used
in any Federal or Mil environment.   Apple will eventually have to 
address this concern.

At 6:17 AM -0500 4/4/04, Arnold G. Reinhold wrote:
>The cryptographic hash function MD5 has long been used to 
>authenticate software packages, particularly in the Linux/Unix/open 
>source community. This has carried over to Apple's OS-X. The MD5 
>hash of an entire package is calculated and its value is transmitted 
>separately from the package. Users who download the package compute 
>the hash of the copy they received and match that value against the 

Vinnie Moscaritolo  ITCB-IMSH
PGP: 3F903472C3AF622D5D918D9BD8B100090B3EF042

"When the pin is pulled, Mr. Grenade is not our friend."
				 - USMC training bulletin.