W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > April to June 2001

Re: DSAKeyValue text - inferring trust from just a PK

From: Amir Herzberg <amir@newgenpay.com>
Date: Fri, 8 Jun 2001 16:15:47 +0200
Message-ID: <002b01c0f025$83ffa7c0$323cfea9@newgenpay>
To: <w3c-ietf-xmldsig@w3.org>
Merlin said,
> If I write my public key (or its fingerprint) down on a beermat
> and you receive a document that contains that key (and was signed
> by the corresponding private key) then, subject to our trust
> relationship and the quantity of beer, you may be able to infer
> that I signed the document. Or, you can use the key fingerprint
> to look up a cert in a database. Beer or certs, your choice.

This mechanism is certainly sufficient for document authentication (for
which it is also sufficient to write down an appropriate crypto hash of the
document itself on the beermat).

However, it is not sufficient for non-repudiation, unless indeed looking up
the cert in a trusted public database (or having also a certificate).
Namely, if all you have is the beermat containing the key and the document,
you certainly can't prove that it was signed by the individual who handed
you the beermat (unless maybe using his fingermark on the beermat? now that
may work...).

Best Regards,

Amir Herzberg
CTO, NewGenPay
Received on Friday, 8 June 2001 10:11:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:10:05 UTC