||use electronic ... public-key signatures, the kind that make it impossible ||for one to deny having signed something. ^^^^^^^^^^^^^^^^^^ ||^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | Nice theory, but too simple. | I can always deny signing something by claiming that my private key was | compromised. I can even deliberately let it be known, if it's important There's some very nice work by two people at Bell Labs (whose names I can't
One of them is Stuart Haber (stuart@bellcore.com)
unforgeable digital timestamps. This is a much trickier problem than it firs appears to be, but they have a nice solution.
It's not too complicated. Basically, what you do is produce a hash of your text, and publish it widely in a medium that is being archived, and likely to be accessible and authenticable at a later time, for example by posting it in a classified ad in a large newspaper. Later, when verifying the timestamp one can get a copy of that newspaper from a library (or from several libraries, for greater security) and compare the published hash with that of the text. For greater efficiency, there's a simple way to combine a lot of messages and produce only one hash which is published. The information you get back and store as a part of the timestamp is enough to prove that this particular hash was one of the many combined to produce the published value. This system is actually operating, look in any Sunday New York Times in the Business Classifieds.
Given timestamps, we can then require that messages be not just signed but dated. If my key becomes compromised, I revoke all my signatures from some time on. By looking at the timestamp that goes with the signature, we can determine whether it was created before or after the compromise, and discard it if "after".
Once can always claim that they "just found out" that their key has been compromised a year ago, and so deny having signed that signature. -- Yanek Martinson yanek@novavax.nova.edu