On Sat, Dec 16, 2000 at 11:00:34PM +0100, Martin ([EMAIL PROTECTED]) wrote:
> On Saturday, December 16, 2000 (CS:6.50.351) 12:42:49 [PM] (-0600)
> Brian Minton [[EMAIL PROTECTED]] wrote...
>
> > yes, but not completely, since at a later time, you can always produce your
> > public key at a later time if necessary to prove that you did in fact write a
> > given message, or that you did not.
> ^^^^^^^^^^^^^^^^^^^^
> Thats not possible! If you signed a message (which you do with your private
> key) and i verify it with your public key (and im sure its yours) i can be
> sure YOU and nobody else wrote that message.
No, you can be sure that someone that knew his passphrase and had
access to his key wrote that message. It might have been him; it might
have been the sysadmin of the machine poking through disk and
memory. You'll note very little difference between this and using the
host from which the message was sent for authentication. There's
nothing about digital signatures to verify who typed the passphrase
into the terminal.
What you *do* know is that the message wasn't altered between signing
and reading; any conclusion of authorship is based on a whole bunch of
"ifs". Most of the time, the risk that those "ifs" imply is
acceptable, but you don't *know*.
-Rich
--
------------------------------ Rich Lafferty ---------------------------
Sysadmin/Programmer, Instructional and Information Technology Services
Concordia University, Montreal, QC (514) 848-7625
------------------------- [EMAIL PROTECTED] ----------------------
