--
Weak user keys.
Suppose the user's key p, may be weak and easily guessed from G^p
Suppose the key server constructs for each user a strong supplementary key,
q. which the server knows but the user does not know.
We would like the keyserver to protect people who are not so paranoid as to
protect themselves from the keyserver.
We want a public key system that does not make public G^p, though it will
make public G^q and G^(pq).
A signature in this public key system should show that the document has
been signed by someone who knows p, with the assistance of someone who
knows both q and the shared secret key, G^p.
Someone who knows G^q and G^(pq) should be able to check the signature
without knowing G^p, p, or q.
Anyone knowing G^q and G^(pq) should be able encrypt a document in such a
way that only a person who knows p can decrypt it, provided he has the
assistance of someone who knows q and G^p
I have not been able to design such a system
One can achieve almost the same effect by having transient user keys
separate from the user logon key, random keys which randomly generated by
the users client software and authenticated by the server, but this exposes
the client to man in the middle attack from the server, and only works for
instant messaging and for transactions that either fail or complete within
a single logon session at the server.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
qIrVQjNIkxJkToOFReeoeKvY/SvzyRSdCyYftEQO
4jfGW404jr5oby60x3IbvWxF3SNIXa5LKY/q9YUme