Giter Club home page Giter Club logo

Comments (3)

davaya avatar davaya commented on July 23, 2024

Hashes and signatures can be computed only over artifacts - serialization means putting information into a specific sequence of bytes. A single Element can be serialized into a file and a signature or hash computed over the bytes of that file. This is true even if that Element is first serialized into a file containing many Elements - the multi-Element file will have one signature that validates all of the Elements within it. A different multi-Element file will have a different signature. But when a single Element is extracted from both files its value, and thus its single-Element file hash or deterministic signature value must be identical. (The signature value of a probabilistic signature scheme will be different each time the same tbs value is signed, but each signature must validate that tbs data.)

Integrity does not apply to non-serialized Elements, including Collection Elements. Integrity does apply to documents (the serialized value of one or more Elements of any type).

We can only be sure that integrity of referenced elements is intact up to the strength of the integrity mechanism. Although MD5 collision resistance has long been broken, I don't know if second-preimage attacks are currently practical. The prudent thing to "be sure" is to use stronger hash algorithms where even collision attacks are impractical (and of course ensure that the integrity validation code is uncompromised.) Reducing opportunities for preimage fuzzing (such as by canonicalizing documents into an information-dense serialization and validating both length and hash value) can improve the security of even weak hash algorithms.

from spdx-3-model.

iamwillbar avatar iamwillbar commented on July 23, 2024

Subgroup will look at verification of elements themselves, independent of 3.x timeline. verifiedUsing will continue to be verification of what the element references (e.g. an artifact).

from spdx-3-model.

kestewart avatar kestewart commented on July 23, 2024

@iamwillbar - I believe we've covered all the issues in the punchlist now. If you disagree, please reopen.

from spdx-3-model.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.