From: "Perry E. Metzger" <perry@imsi.com> Digital "signatures" are the first real unforgeable authentication technology mankind has developed. Impossibility is a pretty strong concept, and here, as elsewhere, it's an exaggeration. Digital signatures are not unforgeable. If you steal the private key, you can forge signatures. The unforgeability is exactly as great as the strength of the container where the private key lies. The issue of incarnation, if you will, is perhaps the single most important issue for actual deployment. It's a matter of economics. The cryptographic barrier is insurmountable, but it's not the only barrier. So don't try to breach the cryptography; try to breach one of the other elements of the system. [Perry, I promise it's not personal; it just _seems_ like I'm nit-picking on everything you write this week.] A remark on the meaning of forgery. Let me rewrite what Perry said: Digital "signatures" are the first authentication technology mankind has developed where forgery is impossible to detect. An indistinguishable signature can still be a forged signature. A forged signature is one that is made by the wrong person. If the wrong person gets the private key, signatures made by that person are forgeries, even though nobody can tell them apart. This point is not merely pedantic. The concept of forgery adheres to the person committing the act, not the act itself. A piece of data which presents itself as a signature, but which does not pass the verification process, is not a forged signature but an invalid one. The external inability to distinguish proper digital signatures from forged ones has profound effect on the legal interpretations of the physical signing device (hardware+software). I wish only to point this out and leave discussion to another thread. Eric