I was thinking about a problem involving two parties signing a file and each keeping a copy, as they would do with a paper contract, and came up with something like the following: Two parties securely exchange public keys, each signed by the other, and verify correctness through some channel like the phone. Party A signs a document, and sends it to B. B adds his signature, so now the document is cryptographically signed by both, and sends a copy back to A. Both parties now have the same file containing signatures from each. Party A later decides to forge an altered document. To do this, he must generate two new key pairs, claiming one as his own and the other as the one B gave him. He uses these to sign the altered document, and now claims that B posesses the forgery and fake keypairs instead, and that the altered document is the genuine one. Party A cannot just fake a keypair for B, because then party A would still be able to verify signatures on BOTH documents, whereas B would only be able to verify his own copy -- this would prove that A had a goofed key for B, I think... In the absence of any third party intervention, it is now only A's word against B's, since NOTHING about either document copy matches the other. The question is, what do we DO about this that would be provable in a [cryptographically clueful] court? [I'm making a BIG assumption here.] In the paper world, A and B sign a document in the presence of a notary, who also signs the document attesting that A and B genuinely signed it. This also implies that the notary can view the contents of the document. It is feasible for party A to later forge a changed document containing bogus signatures of B *and* the notary, given sufficient resources. In the cryptographic world, a trusted third party can sign a document, and then A's altered copy would not match. I also propose that trusted third party [let's call it a Notary] can also sign A and B's public keys, and retain copies of same. [A mental image of a printout of the ascii-armored key block for both parties, tacked to the Notary's wall, comes to mind...] Now the two parties can interact freely using these key pairs, and never need to expose any actual documents to the Notary. If a dispute arises, the Notary can be called in to verify questionable signatures or keys. The Notary can also receive and retain encrypted copies of documents, and be unable to do anything with them except store them away for future reference. Assuming that the Notary is never compromised by either A or B, and could retain some kind of provable trail of document dates, would this work?? How would the compromise of A's key or B's key be handled and still keep any of the documents valid? Does the analogy to forged handwritten signatures and phony dates hold water? Presumably if either A or B has ONE other signature on either of their public keys, let's say from C, then C can be called in to check that signature. From this one can determine which of A or B is lying, since they signed each others' keys in the beginning and THOSE have to also match. This is more a legalistic question than a crypto question, but I'm sure many of us would like to see the use of crypto for this sort of thing sometime down the road. Are there any precedents at all yet? _H*