When *not* to sign an e-mail message?

Hi,

I'm wondering if there are any hypothetical situations where one would NOT
want to sign an email message they are sending to another party. In my
opinion, there are no valid reasons not to sign a message.

Can anyone point out a situation to me where *not* signing would be
advantageous (excluding off course that the message may be smaller if it's
not signed)?

TIA

"Non scrivetemi" <nonscrivetemi@pboxmix.winstonsmith.info> wrote:
[color=blue]
> Can anyone point out a situation to me where *not* signing would be
> advantageous (excluding off course that the message may be smaller if
> it's not signed)?[/color]

When sending anonymous messages it's a good idea not to sign them ;-)

Juergen Nieveler
--
These opinions are mine, not those of the University of Virginia. It is
the opinion of the University that I should be writing my dissertation.

"Non scrivetemi" <nonscrivetemi@pboxmix.winstonsmith.info> (06-03-05 15:23:07):
[color=blue]
> I'm wondering if there are any hypothetical situations where one would
> NOT want to sign an email message they are sending to another
> party. In my opinion, there are no valid reasons not to sign a
> message.
>
> Can anyone point out a situation to me where *not* signing would be
> advantageous (excluding off course that the message may be smaller if
> it's not signed)?[/color]

You have to consider that a valid signature effectively means that the
sender of the message must be you. Later you cannot claim that you
didn't write the message. If someone compromised your key, which is
unlikely to happen, then you have to prove this.

This means: If you write stupid things, then don't sign them. =)


Regards.

"Non scrivetemi" <nonscrivetemi@pboxmix.winstonsmith.info> wrote in
news:97a0b7459f825709f6691dc3bb94ca7e@pboxmix.winstonsmith.info:
[color=blue]
>
> Hi,
>
> I'm wondering if there are any hypothetical situations where one would
> NOT want to sign an email message they are sending to another party.
> In my opinion, there are no valid reasons not to sign a message.
>
> Can anyone point out a situation to me where *not* signing would be
> advantageous (excluding off course that the message may be smaller if
> it's not signed)?
>
> TIA
>[/color]



The whole question of digital signing and non-repudiation is fatally
flawed.

Why? Because it reverses the burden of proof.

With existing handwritten signatures the burden of verifying the signature
falls on the recipient (e.g., banks re a cheque). With digital signatures
the sender must prove he didn't send it (e.g., he might argue his key had
been stolen).

The traditional basis of signatures is that the burden lies on the fellow
relying on them; digital signatures reverse 1000 years of legal and
commercial practice. While arguments can be advanced why such a reversal
might be desirable they have to overcome this "who proves" hurdle and
cannot rely solely on their "gee-whiz" gimcrackery as sufficient
justification.

Regards,

Non scrivetemi writes:
[color=blue]
> I'm wondering if there are any hypothetical situations where one would NOT
> want to sign an email message they are sending to another party. In my
> opinion, there are no valid reasons not to sign a message.[/color]

You don't sign it if you wish to be able to deny having written it
later.

Also, signing trivial messages gives adversaries more material with
which to attempt to recover your key pair, so unimportant stuff
probably should not be signed. And don't sign anything someone asks
you to sign without making some sort of (trivial) change to it.

--
Transpose mxsmanic and gmail to reach me by e-mail.

nemo_outis writes:
[color=blue]
> With existing handwritten signatures the burden of verifying the signature
> falls on the recipient (e.g., banks re a cheque). With digital signatures
> the sender must prove he didn't send it (e.g., he might argue his key had
> been stolen).[/color]

Actually the burden of proof is the same for both. In both cases, the
recipient verifies the signature. In both cases, if the signature
appears to verify correctly, then it's up to the alleged signer to
prove that the signature was forged. It's much harder to do this with
digital signatures than with handwritten signatures, but the
principles are the same in both cases.

Indeed, it doesn't matter how secure a digital signature system might
be if it can be shown that a given digital signature is or is not
under the exclusive control of its putative owner.
[color=blue]
> The traditional basis of signatures is that the burden lies on the fellow
> relying on them; digital signatures reverse 1000 years of legal and
> commercial practice.[/color]

Only to a certain extent. It's up to the recipient to check the
signature. But if the signature passes the checks, it's considered
valid unless the signer can demonstrate that it was forged.

--
Transpose mxsmanic and gmail to reach me by e-mail.

Mxsmanic <mxsmanic@gmail.com> wrote in
news:k0cm02ldmfuij92pa9hltq49j9i3bdl8pf@4ax.com:
[color=blue]
> nemo_outis writes:
>[color=green]
>> With existing handwritten signatures the burden of verifying the
>> signature falls on the recipient (e.g., banks re a cheque). With
>> digital signatures the sender must prove he didn't send it (e.g., he
>> might argue his key had been stolen).[/color]
>
> Actually the burden of proof is the same for both. In both cases, the
> recipient verifies the signature. In both cases, if the signature
> appears to verify correctly, then it's up to the alleged signer to
> prove that the signature was forged. It's much harder to do this with
> digital signatures than with handwritten signatures, but the
> principles are the same in both cases.[/color]


No, in any western system of law, the person relying on the signature
(usually the recipient or beneficiary) must prove its validity (e.g., a
bank relying on my signature on a cheque must validate it against its
sample signature). If it is contested and goes to court it is the bank's
burden (to use my example) to satisfy the court that the signatures
match.

Yes, I can try to make it even harder for the bank - I can adduce reasons
why the signature should not be accepted and why the banks hasn't
discharged its burden of proof. But that doesn't change where the
*primary* burden lies. It is the bank's burden and, as with most legal
procedures, I have the right to contest whether it has discharged that
burden. But I'd much rather the burden fell on them than me and I only
have to cast additional doubt if I choose to.

[color=blue]
> Indeed, it doesn't matter how secure a digital signature system might
> be if it can be shown that a given digital signature is or is not
> under the exclusive control of its putative owner.[/color]


And that is precisely the point. With a traditional signature system I
have one and only one requirement: the performance of the positive act of
signing. I do not, with the traditional system, have the additional
burden of showing, in a dispute, that a key had somehow escaped from my
exclusive control. (The safekeeping of that key now becomes a new burden
on me roughly equivalent, for instance, to safeguarding my chequebook in
which I have already signed every blank cheque! Something no prudent man
would do!)

With electronic signatures I have taken on additional burdens that do not
apply with traditional signatures. For instance, I now carry a burden
not to be negligent in my keeping the keys safe. And, if the signature
is disputed, it would fall on *me* to show that they had somehow leaked
or been compromised (e.g., I might have to show Verisign has a corrupt
employee). I have taken on (or rather had imposed on me) additional
responsibility and the need for a wider net of trust - things I don't
have to do the old-fashioned way.

[color=blue][color=green]
>> The traditional basis of signatures is that the burden lies on the
>> fellow relying on them; digital signatures reverse 1000 years of
>> legal and commercial practice.[/color]
>
> Only to a certain extent. It's up to the recipient to check the
> signature. But if the signature passes the checks, it's considered
> valid unless the signer can demonstrate that it was forged.[/color]


Handwritten signatures and their verification have many limitations and
flaws from a technical perspective. However, that doesn't change that
the primary burden of verification rests with the one relying on the
signature and not the other way round. That person must be able to
demonstrate to a competent third party (e.g., a court) that the signature
is valid. The means and standard of that proof (too easy or too hard)
may be a topic for acrimonious debate but that still doesn't change on
whom it falls.

And I, for one, am not eager to reverse those obligations and
responsibilites.

Regards,

Non scrivetemi wrote:[color=blue]
> Hi,
>
> I'm wondering if there are any hypothetical situations where one would NOT
> want to sign an email message they are sending to another party. In my
> opinion, there are no valid reasons not to sign a message.
>
> Can anyone point out a situation to me where *not* signing would be
> advantageous (excluding off course that the message may be smaller if it's
> not signed)?
>
> TIA
>[/color]

There aren't any hypothetical situations. Only real ones.

[url]www.mypgp.com[/url]

nemo_outis wrote:[color=blue]
> Mxsmanic <mxsmanic@gmail.com> wrote in
> news:k0cm02ldmfuij92pa9hltq49j9i3bdl8pf@4ax.com:
>
>[color=green]
>>nemo_outis writes:
>>
>>[color=darkred]
>>>With existing handwritten signatures the burden of verifying the
>>>signature falls on the recipient (e.g., banks re a cheque). With
>>>digital signatures the sender must prove he didn't send it (e.g., he
>>>might argue his key had been stolen).[/color]
>>
>>Actually the burden of proof is the same for both. In both cases, the
>>recipient verifies the signature. In both cases, if the signature
>>appears to verify correctly, then it's up to the alleged signer to
>>prove that the signature was forged. It's much harder to do this with
>>digital signatures than with handwritten signatures, but the
>>principles are the same in both cases.[/color]
>
>
>
> No, in any western system of law, the person relying on the signature
> (usually the recipient or beneficiary) must prove its validity (e.g., a
> bank relying on my signature on a cheque must validate it against its
> sample signature). If it is contested and goes to court it is the bank's
> burden (to use my example) to satisfy the court that the signatures
> match.
>[/color]

The recipient probably still does. It is simply that this stage is now
trivial. The judge can even do an independent verification.
[color=blue]
> Yes, I can try to make it even harder for the bank - I can adduce reasons
> why the signature should not be accepted and why the banks hasn't
> discharged its burden of proof. But that doesn't change where the
> *primary* burden lies. It is the bank's burden and, as with most legal
> procedures, I have the right to contest whether it has discharged that
> burden. But I'd much rather the burden fell on them than me and I only
> have to cast additional doubt if I choose to.
>
>
>[color=green]
>>Indeed, it doesn't matter how secure a digital signature system might
>>be if it can be shown that a given digital signature is or is not
>>under the exclusive control of its putative owner.[/color]
>
>
>
> And that is precisely the point. With a traditional signature system I
> have one and only one requirement: the performance of the positive act of
> signing. I do not, with the traditional system, have the additional
> burden of showing, in a dispute, that a key had somehow escaped from my
> exclusive control. (The safekeeping of that key now becomes a new burden
> on me roughly equivalent, for instance, to safeguarding my chequebook in
> which I have already signed every blank cheque! Something no prudent man
> would do!)
>[/color]

It is equivalent to a company using a rubber stamp to sign cheques.
Where there are a thousand people on the pay roll it is quite common for
the clerks to be given such rubber stamps. It saves the boss a lot of
writing.
[color=blue]
> With electronic signatures I have taken on additional burdens that do not
> apply with traditional signatures. For instance, I now carry a burden
> not to be negligent in my keeping the keys safe. And, if the signature
> is disputed, it would fall on *me* to show that they had somehow leaked
> or been compromised (e.g., I might have to show Verisign has a corrupt
> employee). I have taken on (or rather had imposed on me) additional
> responsibility and the need for a wider net of trust - things I don't
> have to do the old-fashioned way.
>
>
>[color=green][color=darkred]
>>>The traditional basis of signatures is that the burden lies on the
>>>fellow relying on them; digital signatures reverse 1000 years of
>>>legal and commercial practice.[/color]
>>
>>Only to a certain extent. It's up to the recipient to check the
>>signature. But if the signature passes the checks, it's considered
>>valid unless the signer can demonstrate that it was forged.[/color]
>
>
>
> Handwritten signatures and their verification have many limitations and
> flaws from a technical perspective. However, that doesn't change that
> the primary burden of verification rests with the one relying on the
> signature and not the other way round. That person must be able to
> demonstrate to a competent third party (e.g., a court) that the signature
> is valid. The means and standard of that proof (too easy or too hard)
> may be a topic for acrimonious debate but that still doesn't change on
> whom it falls.
>
> And I, for one, am not eager to reverse those obligations and
> responsibilites.[/color]

No reversal, just harder to lie.

Andrew Swallow

Juergen Nieveler wrote:[color=blue]
> "Non scrivetemi" <nonscrivetemi@pboxmix.winstonsmith.info> wrote:
>
>[color=green]
>>Can anyone point out a situation to me where *not* signing would be
>>advantageous (excluding off course that the message may be smaller if
>>it's not signed)?[/color]
>
>
> When sending anonymous messages it's a good idea not to sign them ;-)[/color]

Signing with what keypair? Is the public key well known to be
associated with the author? Is the keypair ephemeral and only used for
one message? Is the keypair made up just for the few messages the author
wants to send using the identity "WhistleBlower12", "Terrorist214",
"CompulsiveConfessor7" or "PoisonPenman"?
When I first read Ender's Game by Orson Card, I couldn't figure how
everyone could be so sure that a series of anonymous essays published
under the name "Demosthenes" were all by the same author. Now I see that
including a public key in each essay and a digital signature that
verifies with that public key establishes that the essays are all by the
same author, no, that they're all signed by the same person, no, that
they're all signed by members of the cabal who know the corresponding
private key.

--Mike Amling

"nemo_outis" <abc@xyz.com> writes:[color=blue]
> The whole question of digital signing and non-repudiation is fatally
> flawed.
>
> Why? Because it reverses the burden of proof.
>
> With existing handwritten signatures the burden of verifying the signature
> falls on the recipient (e.g., banks re a cheque). With digital signatures
> the sender must prove he didn't send it (e.g., he might argue his key had
> been stolen).
>
> The traditional basis of signatures is that the burden lies on the fellow
> relying on them; digital signatures reverse 1000 years of legal and
> commercial practice. While arguments can be advanced why such a reversal
> might be desirable they have to overcome this "who proves" hurdle and
> cannot rely solely on their "gee-whiz" gimcrackery as sufficient
> justification.[/color]

digital signature is technology that can be used for authentication
aka "something you have" from 3-factor authentication model
[url]http://www.garlic.com/~lynn/subtopic.html#3factor[/url]

* something you have
* something you know
* something you are

where verfication of digital signature with public key implies
possession of corresponding private key.

this is something different than human signatures that imply having
read, understood, agrees, approves, and/or authorizes.

there are all sort of short-comings if you believe that digital
signatures translate straight-forward to the same as human signatures.
one such is dual-use attack. a valid authentication use for digital
signatures is to have a server transmit some random data (possibly as
countermeasure to replay attack), the client digitally signs the
random data (w/o having read the random data), and returns the digital
signature. an attack (against a infrastructure that might mistakenly
make straight-forward equivalence between digital signature and human
signature) is to substitute a valid contract for the random data.

one such (possibly misguided) effort to make straight-foward
equivalanece between digital signatures and human signatures was the
addition of the "non-repudiation" flag to some digital signatures in
the early 90s.

in much the same way that x.509 identity digital certificates started
to become significantly depreciated by the mid-90s, so did any
operation that took a digital certificate non-repudiation flag as
having any valid meaning. it becamse readily apparent that to even
approach the meaning of a human signature (read, understood, agrees,
approves, and/or authorizes as well as demonstrating any sort of
intent) there had to be significant additional processes in place.

In fact, there are some of point-of-sale terminal designs that may
have digital signature purely as an authentication mechanism but
requires totally separate operations to demonstrate "intent". The
simpler example is point-of-sale terminal that uses two-factor
authentication pin-debit as authentication ... and then requires
separate sequence where the consumer is asked to press the "yes"
button if they agree to the transaction (to establish intent and the
equivalence of human signature of read, understood, aggrees, approves,
and/or authorizes). In such a scenario, the authentication is totally
separate process from the "intent" process.

we were asked to come in and help word-smith the cal. state electronic
signature legislation and then later the fed. electronic signature
legislation. misc. past posts about electronic signatures
[url]http://www.garlic.com/~lynn/subpubkey.html#signature[/url]

misc. past posts mentioning non-repudiation and/or dual-use attack on
digital signatures (when they have conflicting uses for both
authentication and human signature)
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep0[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep1[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep2[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep3[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep4[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep5[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aepay7.htm#nonrep6[/url] non-repudiation, was Re: crypto flaw in secure mail standards
[url]http://www.garlic.com/~lynn/aadsm11.htm#5[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#6[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#7[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#8[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#9[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#11[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#12[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#13[/url] Words, Books, and Key Usage
[url]http://www.garlic.com/~lynn/aadsm11.htm#14[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm11.htm#15[/url] Meaning of Non-repudiation
[url]http://www.garlic.com/~lynn/aadsm12.htm#5[/url] NEWS: 3D-Secure and Passport
[url]http://www.garlic.com/~lynn/aadsm12.htm#12[/url] TOC for world bank e-security paper
[url]http://www.garlic.com/~lynn/aadsm12.htm#30[/url] Employee Certificates - Security Issues
[url]http://www.garlic.com/~lynn/aadsm12.htm#37[/url] Legal entities who sign
[url]http://www.garlic.com/~lynn/aadsm12.htm#38[/url] Legal entities who sign
[url]http://www.garlic.com/~lynn/aadsm12.htm#59[/url] e-Government uses "Authority-stamp-signatures"
[url]http://www.garlic.com/~lynn/aadsm15.htm#32[/url] VS: On-line signature standards
[url]http://www.garlic.com/~lynn/aadsm15.htm#33[/url] VS: On-line signature standards
[url]http://www.garlic.com/~lynn/aadsm15.htm#34[/url] VS: On-line signature standards (slight addenda)
[url]http://www.garlic.com/~lynn/aadsm15.htm#35[/url] VS: On-line signature standards
[url]http://www.garlic.com/~lynn/aadsm15.htm#36[/url] VS: On-line signature standards
[url]http://www.garlic.com/~lynn/aadsm16.htm#14[/url] Non-repudiation (was RE: The PAIN mnemonic)
[url]http://www.garlic.com/~lynn/aadsm16.htm#17[/url] Non-repudiation (was RE: The PAIN mnemonic)
[url]http://www.garlic.com/~lynn/aadsm16.htm#18[/url] Non-repudiation (was RE: The PAIN mnemonic)
[url]http://www.garlic.com/~lynn/aadsm16.htm#23[/url] Non-repudiation (was RE: The PAIN mnemonic)
[url]http://www.garlic.com/~lynn/aadsm17.htm#3[/url] Non-repudiation (was RE: The PAIN mnemonic)
[url]http://www.garlic.com/~lynn/aadsm17.htm#5[/url] Non-repudiation (was RE: The PAIN mnemonic)
[url]http://www.garlic.com/~lynn/aadsm17.htm#55[/url] Using crypto against Phishing, Spoofing and Spamming
[url]http://www.garlic.com/~lynn/aadsm17.htm#59[/url] dual-use digital signature vulnerability
[url]http://www.garlic.com/~lynn/aadsm18.htm#0[/url] dual-use digital signature vulnerability
[url]http://www.garlic.com/~lynn/aadsm18.htm#1[/url] dual-use digital signature vulnerability
[url]http://www.garlic.com/~lynn/aadsm18.htm#2[/url] dual-use digital signature vulnerability
[url]http://www.garlic.com/~lynn/aadsm18.htm#3[/url] dual-use digital signature vulnerability
[url]http://www.garlic.com/~lynn/aadsm18.htm#4[/url] dual-use digital signature vulnerability
[url]http://www.garlic.com/~lynn/aadsm19.htm#33[/url] Digital signatures have a big problem with meaning
[url]http://www.garlic.com/~lynn/aadsm19.htm#47[/url] the limits of crypto and authentication
[url]http://www.garlic.com/~lynn/aadsm20.htm#0[/url] the limits of crypto and authentication
[url]http://www.garlic.com/~lynn/aadsm20.htm#28[/url] solving the wrong problem
[url]http://www.garlic.com/~lynn/aadsm20.htm#44[/url] Another entry in the internet security hall of shame
[url]http://www.garlic.com/~lynn/aadsm21.htm#5[/url] Is there any future for smartcards?
[url]http://www.garlic.com/~lynn/aadsm21.htm#13[/url] Contactless payments and the security challenges
[url]http://www.garlic.com/~lynn/aadsm21.htm#18[/url] 'Virtual Card' Offers Online Security Blanket
[url]http://www.garlic.com/~lynn/aadsm21.htm#27[/url] X.509 / PKI, PGP, and IBE Secure Email Technologies
[url]http://www.garlic.com/~lynn/aadsm22.htm#5[/url] long-term GPG signing key
[url]http://www.garlic.com/~lynn/aadsm22.htm#6[/url] long-term GPG signing key
[url]http://www.garlic.com/~lynn/aadsm22.htm#7[/url] long-term GPG signing key
[url]http://www.garlic.com/~lynn/2001c.html#30[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#34[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#39[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#40[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#41[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#42[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#43[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#44[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#45[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#46[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#47[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#50[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#51[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#52[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#54[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#56[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#57[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#58[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#59[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#60[/url] PKI and Non-repudiation practicalities
[url]http://www.garlic.com/~lynn/2001c.html#72[/url] PKI and Non-repudiation practicalities

--
Anne & Lynn Wheeler | [url]http://www.garlic.com/~lynn/[/url]

Mike Amling <nospam@foobaz.com> writes:[color=blue]
> When I first read Ender's Game by Orson Card, I couldn't figure how
> everyone could be so sure that a series of anonymous essays published
> under the name "Demosthenes" were all by the same author. Now I see
> that including a public key in each essay and a digital signature that
> verifies with that public key establishes that the essays are all by
> the same author, no, that they're all signed by the same person, no,
> that they're all signed by members of the cabal who know the
> corresponding private key.[/color]

this is the scenario that asymmetric key cryptography is technology
(differentiated from symmetric key), where what one key encodes, the
other key decodes.

there is a business process commoningly referred to as public key;
where one key is labeled "public" and made freely available; the other
key (of the key pair) is labled "private" and kept confidential and
never divulged. at this level, there is no mystical properties related
to public and private ... purely what is done in conforming to the
public key business process.

there is a business process commomingly referred to as digital
signature where the private key is used to encode the hash of a
message. then the verification of the digital signature using
the corresponding public key implies

1) the message has not changed since signing
2) "something you have" authentication (aka the signer
has access to and use of the corresponding private key)

again no mystical properties other than what is been defined in
conforming to the digital signature business process and the public
key business process.

a relying party places their faith in the "something you have"
authentication ... to the extent that they understand the
corresponding business processes and believe that they have been
followed.

there is nothing implicit in the digital signing process that carries
with it that the signer has read (or written), understood, aggrees,
approves, and/or authorizes (what has been signed).

--
Anne & Lynn Wheeler | [url]http://www.garlic.com/~lynn/[/url]

Anne & Lynn Wheeler <lynn@garlic.com> wrote in
news:m3ek1gii12.fsf@lhwlinux.garlic.com:

....snip valid points...[color=blue]
> there are all sort of short-comings if you believe that digital
> signatures translate straight-forward to the same as human signatures.
> one such is dual-use attack.[/color]
....snip additional valid points...


Yep, there are numerous differences betwwen conventional human signatures
and digital-signing. I concentrated on the verification/validation
asymmetries between the methods with emphasis on the break with traditional
legal/commercial burden-of-proof aspects.

But, as you point out, there are other differences as well; the two methods
are by no means equivalent. And, accordingly, the reasons for preferring
one method over the other could vary depending on the circumstances. Even
with regard to some particular case, the parties themselves could have
significantly differing interests and preferences regarding signing.

Regards,

Andrew Swallow <am.swallow@btopenworld.com> wrote in
news:dufqbv$b4f$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com:

....snip...[color=blue][color=green]
>> Handwritten signatures and their verification have many limitations
>> and flaws from a technical perspective. However, that doesn't change
>> that the primary burden of verification rests with the one relying on
>> the signature and not the other way round. That person must be able
>> to demonstrate to a competent third party (e.g., a court) that the
>> signature is valid. The means and standard of that proof (too easy
>> or too hard) may be a topic for acrimonious debate but that still
>> doesn't change on whom it falls.
>>
>> And I, for one, am not eager to reverse those obligations and
>> responsibilites.[/color]
>
> No reversal, just harder to lie.[/color]


"Lying" hardly exhausts the differences between the methods - that is gross
oversimplification. No, with digital signatures, I, the signer, now have
assumed a gigantic responsibility re negligence regarding safeguarding my
keys (a responsibility that doesn't exist with handwritten signatures).
And, if I have extended my trust regarding keys to, say, Verisign, I have
taken on an enormous "trust exposure" regarding their preservation of the
condfidentiality of my keys.

And it would also mean, for instance, that I must be cryptologically savvy
enough never to be conned into signing some arbitrary message presented to
me.

No, digital signatures are a minefield for the unwary (and even for the
wary!).

Regards,

PS And I could point out other risks as well. For example, unless both
the hardware and software on my computer are fully trusted and secure (ha!)
the document ostensibly presented for me to sign onscreen needn't be the
one I'm actually digitally signing and transmitting. A few moments
reflection will conjure up a host of other such problems with digital
signatures.

"nemo_outis" <abc@xyz.com> writes:[color=blue]
> Handwritten and digital signatures are not equivalent[/color]

that is along the lines of my theme about both terms containing the
word "signature" can result in semantic confusion; believing that
because both terms contain the same word that then it follows that the
two terms have some similarities.

misc. past posts mentioning semantic confusion arising from both
terms containing the word signature:
[url]http://www.garlic.com/~lynn/aadsm3.htm#kiss5[/url] Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp- 00.txt))
[url]http://www.garlic.com/~lynn/aepay11.htm#53[/url] Authentication white paper
[url]http://www.garlic.com/~lynn/aadsm12.htm#30[/url] Employee Certificates - Security Issues
[url]http://www.garlic.com/~lynn/aadsm13.htm#16[/url] A challenge
[url]http://www.garlic.com/~lynn/aadsm15.htm#36[/url] VS: On-line signature standards
[url]http://www.garlic.com/~lynn/aadsm19.htm#7[/url] JIE - Contracts in Cyberspace
[url]http://www.garlic.com/~lynn/aadsm19.htm#24[/url] Citibank discloses private information to improve security
[url]http://www.garlic.com/~lynn/aadsm19.htm#25[/url] Digital signatures have a big problem with meaning
[url]http://www.garlic.com/~lynn/aadsm20.htm#8[/url] UK EU presidency aims for Europe-wide biometric ID card
[url]http://www.garlic.com/~lynn/aadsm20.htm#44[/url] Another entry in the internet security hall of shame
[url]http://www.garlic.com/~lynn/aadsm21.htm#13[/url] Contactless payments and the security challenges
[url]http://www.garlic.com/~lynn/aadsm21.htm#24[/url] Broken SSL domain name trust model
[url]http://www.garlic.com/~lynn/2003k.html#6[/url] Security models
[url]http://www.garlic.com/~lynn/2004i.html#27[/url] New Method for Authenticated Public Key Exchange without Digital Certificates
[url]http://www.garlic.com/~lynn/2005f.html#20[/url] Some questions on smart cards (Software licensing using smart cards)
[url]http://www.garlic.com/~lynn/2005m.html#11[/url] Question about authentication protocols
[url]http://www.garlic.com/~lynn/2005n.html#51[/url] IPSEC and user vs machine authentication
[url]http://www.garlic.com/~lynn/2005o.html#42[/url] Catch22. If you cannot legally be forced to sign a document etc - Tax Declaration etc etc etc
[url]http://www.garlic.com/~lynn/2005q.html#4[/url] winscape?
[url]http://www.garlic.com/~lynn/2005r.html#54[/url] NEW USA FFIES Guidance
[url]http://www.garlic.com/~lynn/2005v.html#3[/url] ABN Tape - Found

--
Anne & Lynn Wheeler | [url]http://www.garlic.com/~lynn/[/url]

Andrew Swallow <am.swallow@btopenworld.com> wrote in
news:dug3sj$3al$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com:

[color=blue][color=green]
>> PPS A different signature on my cheques than my contracts? ...or
>> on my credit cards? ...or on my letters? ...or on my...? Gimme a
>> break! I do not have a quiver of signatures, nor do most people.
>> Why don't we talk about this universe rather than the parallel one
>> you might prefer?
>>[/color]
> You set the level of paranoia.[/color]


Perhaps it amuses you to be frivolous and irrelevant - but that doesn't
mean I need indulge you in your silliness.

Goodbye!

Anne & Lynn Wheeler <lynn@garlic.com> wrote in
news:m3mzg4e17t.fsf@lhwlinux.garlic.com:
[color=blue]
> "nemo_outis" <abc@xyz.com> writes:[color=green]
>> Handwritten and digital signatures are not equivalent[/color]
>
> that is along the lines of my theme about both terms containing the
> word "signature" can result in semantic confusion; believing that
> because both terms contain the same word that then it follows that the
> two terms have some similarities.[/color]


Yep, you've made a valid point that should be emphasized in such
discussions.

Regards,

nemo_outis writes:
[color=blue]
> No, in any western system of law, the person relying on the signature
> (usually the recipient or beneficiary) must prove its validity (e.g., a
> bank relying on my signature on a cheque must validate it against its
> sample signature). If it is contested and goes to court it is the bank's
> burden (to use my example) to satisfy the court that the signatures
> match.[/color]

Which is trivially easy to do, if the bank did indeed look at the
signatures--it is sufficient to show the two signatures in court.
[color=blue]
> And that is precisely the point. With a traditional signature system I
> have one and only one requirement: the performance of the positive act of
> signing. I do not, with the traditional system, have the additional
> burden of showing, in a dispute, that a key had somehow escaped from my
> exclusive control.[/color]

Yes, you do. If the signature matches the model the bank used for
validation, you have to find a way to prove that it's not your
signature, even though it looks the same.
[color=blue]
> With electronic signatures I have taken on additional burdens that do not
> apply with traditional signatures. For instance, I now carry a burden
> not to be negligent in my keeping the keys safe. And, if the signature
> is disputed, it would fall on *me* to show that they had somehow leaked
> or been compromised (e.g., I might have to show Verisign has a corrupt
> employee). I have taken on (or rather had imposed on me) additional
> responsibility and the need for a wider net of trust - things I don't
> have to do the old-fashioned way.[/color]

Still, it is trivially easy to forge a handwritten signature, whereas
it is not feasible to forge a digital signature. The only reason
forgery isn't orders of magnitude more common than it is is that most
people are honest. Handwritten signatures are very easy to forge, and
it's very hard to prove that a forged signature isn't real.
[color=blue]
> Handwritten signatures and their verification have many limitations and
> flaws from a technical perspective. However, that doesn't change that
> the primary burden of verification rests with the one relying on the
> signature and not the other way round. That person must be able to
> demonstrate to a competent third party (e.g., a court) that the signature
> is valid.[/color]

So he holds up enlargements of both and says "see, they look the
same." Mission accomplished.

--
Transpose mxsmanic and gmail to reach me by e-mail.

Andrew Swallow writes:
[color=blue]
> It is equivalent to a company using a rubber stamp to sign cheques.
> Where there are a thousand people on the pay roll it is quite common for
> the clerks to be given such rubber stamps. It saves the boss a lot of
> writing.[/color]

In practice, it's a check-signing machine, but your point still
applies; indeed, with a check-signing machine, it resembles digital
signatures even more.
[color=blue]
> No reversal, just harder to lie.[/color]

Exactly. And the consequences are more severe if one is careless.

--
Transpose mxsmanic and gmail to reach me by e-mail.

nemo_outis writes:
[color=blue]
> Handwritten and digital signatures are not equivalent - the reference to
> both as "signatures" is at best an analogy, at worst a deception.[/color]

Legally, they are identical.
[color=blue]
> PPS A different signature on my cheques than my contracts? ...or on my
> credit cards? ...or on my letters? ...or on my...? Gimme a break! I do
> not have a quiver of signatures, nor do most people. Why don't we talk
> about this universe rather than the parallel one you might prefer?[/color]

Why don't you refrain from personal attacks in your arguments? The ad
hominem undermines your credibility.

--
Transpose mxsmanic and gmail to reach me by e-mail.