Hi, Since Jason says this is still on-topic (-;
From: Josh Huber Subject: Re: PGP/GPG signatures Date: Wed, 09 Oct 2002 10:05:31 -0400 > [EMAIL PROTECTED] writes: > > > [1] All this "signature" stuff is kind of inadequate in the long > > term w/o some kind of notarization anyway -- consider the case where > > one's secret key leaks and back-dated messages are forged. W/o some > > additional mechanism, here's no way to tell these apart from > > legitimate "signatures". > > If this happened, I would revoke my key. I should clarify what I meant by notarization -- I'm not referring to any specific method of notarization. I'm referring to an appropriate method for at least one third party to witness a signature (plus be able to produce something at the time that can be used later as evidence -- a number of methods try to accomplish this using one form or another of time-stamping). I believe there is a theoretical problem w/ trying to do signatures you can use as evidence (not really in a legal sense -- in a technical sense) w/o some form of appropriate witnessing involved somewhere. I understand that one of the main problems is that the creator of the "signature" (e.g. something signed w/ PGP) has control over the validity of the signature. All the creator has to do to make a signature invalid is to revoke their own key. I hope you agree that a signer being able to deny having signed something that they really signed (*phew*) is an undesirable situation (-; IIUC, one way to address this issue is to get the "signature" witnessed by some other (hopefully trustworthy) party soon after receiving it -- or not accepting a "signature" that has not been notarized/witnessed to begin w/. _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
