Re: Choosing key to verify someone else's sig?

From: David Wagner (daw_at_mozart.cs.berkeley.edu)
Date: 09/12/03

Next message: Mark Wooding: "Re: Review of PBEP 1.0 - Password Based Encryption Protocol"
Previous message: David A. Scott: "Re: AES and Diehard"
In reply to: Trevor Perrin: "Re: Choosing key to verify someone else's sig?"
Next in thread: Trevor Perrin: "Re: Choosing key to verify someone else's sig?"
Reply: Trevor Perrin: "Re: Choosing key to verify someone else's sig?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 12 Sep 2003 00:20:58 +0000 (UTC)

Trevor Perrin wrote:
> - Given a signed document from Bob, you shouldn't assume that Bob was
>the original author.
>
> - Given a signature that verifies with Bob's key, you shouldn't
>assume that Bob's key was the original signer.

I guess what I really mean is the second one. The following is probably
also good advice:
- Given a signature that verifies with Bob's key, you shouldn't assume
that Bob was the original author.

There's no way for the receiver to tell whether it was *really* Bob who
signed the document. For example, Bob could have given his private
key to Charlie, and the document could have been signed by Charlie.
Or, the document might originally have been signed by Zacchary, and Bob
might have stripped Zacchary's signature off and added his own.

All that a receiver can do is check whether the signature verifies using
Bob's public key, so the most we can verify is that some holder of Bob's
private key endorsed or approved of the document. We can't ensure that
Bob was the original author.

You're right that it is important to be precise here. I apologize for
my imprecision.

In any case, these number-theoretic properties of RSA that let you match
an existing signature are only really relevant when Bob's signature is
sent on a different, "more authentic" channel than Bob's public key.
That's pretty rare in practice -- or if it isn't, it ought to be!

Next message: Mark Wooding: "Re: Review of PBEP 1.0 - Password Based Encryption Protocol"
Previous message: David A. Scott: "Re: AES and Diehard"
In reply to: Trevor Perrin: "Re: Choosing key to verify someone else's sig?"
Next in thread: Trevor Perrin: "Re: Choosing key to verify someone else's sig?"
Reply: Trevor Perrin: "Re: Choosing key to verify someone else's sig?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Encryption question
... Digital signature is done by applying the ... sender's private key at the message hash. ... has the sender's public key to check. ... >Alice encrypts her email to Bob using his public key. ...
(Security-Basics)
Re: Help need for British address
... > Now here's a detail image of the address: ... > I am also curious about his signature on the back of the cover. ... > simplify the censorship process; the signature on this cover seems like ... Bob ...
(rec.collecting.stamps.discuss)
RE: Encryption question
... If you're saying that Bob checks it using ALICE's public key, ... the new one is that her old private key has been compromised, ... > an electronic signature from Alice using the pair I created ...
(Security-Basics)
Re: Encryption question
... key has no passphrase, otherwise pgp/gpg can't generate the public key's ... signature, because the public key's passphrase is required to sign ... | Alice encrypts her email to Bob using his public key. ...
(Security-Basics)
Re: VISTA?
... signature if you'd remembered to remove it in your post? ... Doug Steele, Microsoft Access MVP ... honestly and has to resort to spam to try to get money. ... Bob Larson ...
(microsoft.public.access.formscoding)