[8889] in cryptography@c2.net mail archive
Re: crypto flaw in secure mail standards
daemon@ATHENA.MIT.EDU (Derek Atkins)
Sat Jun 23 15:42:36 2001
To: dmolnar <dmolnar@hcs.harvard.edu>
Cc: "Jeffrey I. Schiller" <jis@mit.edu>,
Don Davis <dtd@world.std.com>, <cryptography@wasabisystems.com>
From: Derek Atkins <warlord@MIT.EDU>
Date: 22 Jun 2001 17:01:47 -0400
In-Reply-To: dmolnar's message of "Fri, 22 Jun 2001 16:08:31 -0400 (EDT)"
Message-ID: <sjm4rt89qkk.fsf@rcn.ihtfp.org>
This works fine in a peer-to-peer scenario, but not if you have a
one-to-many transmission. Just because you have a message signed in
the set {Alice,Bob,Charlie,Daniel,Eve,Fred,Greg}, there is no way to
know which of them sent it. All members of the set must be mutually
trusted, which means there is no way to sign a document that a set of
people can verify comes EXACTLY from you.
-derek
dmolnar <dmolnar@hcs.harvard.edu> writes:
> So Alice signs document D as being from the set {Alice, Bob} and sends it
> to Bob. Now Bob knows he didn't write D, so he believes it's from Alice.
> If he passes D along to Charlene, she can't determine whether Alice
> wrote D or Bob came up with it himself.
>
> In fact, IIRC, the paper suggests the sorts of scenarios discussed in this
> thread explicitly as the motivation for this use of ring signatures. The
> paper then goes on to argue for the practicality of implementing ring sigs
> in mail clients.
>
> -David
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
