[21168] in bugtraq
Re: crypto flaw in secure mail standards
daemon@ATHENA.MIT.EDU (David Howe)
Sun Jun 24 12:03:18 2001
Message-ID: <004b01c0fbca$decb39c0$01c8a8c0@default>
From: "David Howe" <DaveHowe@bigfoot.com>
To: "Lyal Collins" <lyalc@ozemail.com.au>,
"Email list : Bugtraq" <BUGTRAQ@securityfocus.com>
Date: Sat, 23 Jun 2001 10:57:03 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
"Lyal Collins" <lyalc@ozemail.com.au> wrote:
To: "David Howe" <DaveHowe@Bigfoot.com>; <bugtraq@securityfocus.com>
> One significant issue is that an expert witness can cast doubt, not
> only on the digital signature in question, but upon _every_ digitally
> signed document each party received.
Yes - An expert witness should (and presumably would) reduce the document
to just its signed portion and say "this, and only this, is what Alice
signed; there is no evidence who sent this where, as that was done after the
document was signed"
Provided the *signed* (and timestamped) portion of the message/document
supports the case, there is no doubt cast - A document that clearly states
exactly what Alice wanted to say, including the recipient, would only be a
few characters more (not even the ID of the recipient is needed, just his
name or email address)
Users find technology far too convenient; few if any of them would place a
legally binding signature on a paper document containing a simple statement
(such as "I agree to the terms of our contract") but many seem to believe it
is ok to make digital signatures saying the same things... What is needed is
increased User awareness "you are signing this document and it will be
legally binding - are you sure it says what you want it to unambiguously?"
not technological fixes.
