[nycphp-talk] Digital Signatures in PHP
Rolan Yang
rolan at omnistep.com
Thu Jun 3 14:49:03 EDT 2004
Yea, sometimes I wish you could just pipe data to gpg and have it spit
out an
encrypted message... rather than having it operate on an existing file.
Storing
sensitive information in a temporary file which has readable permissions
by the web server leaves me feeling a bit insecure too.
Dan Cech wrote:
> Daniel Convissor wrote:
>
>> On Thu, Jun 03, 2004 at 11:12:42AM -0400, Rolan Yang wrote:
>>
>>> How about md5()?
>>
>>
>> Exactly what I was going to say. Simple. Effective.
>
>
> Yeah, md5 is ok if you just want to take a hash to see if someone has
> changed something, but I need to be able to store the message and the
> hash together, so encryption is mandatory.
>
>> If you want something to actually SIGN with, then consider shelling
>> out to GPG.
>
>
> I was looking into this, but it seems to have a few drawbacks, notably
> having to write everything to file, I'd rather do it internally if at
> all possible.
>
> Now that I have figured out how to get the keys into the right format
> the openssl_sign and openssl_verify functions actually seem to work
> very well, it's just a question of how reliable they are on older
> versions of php.
>
> Dan
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
More information about the talk
mailing list