Tim has an interesting point on the use of digital signatures. A variation is to use an "undeniable" signature. This is a signature which can only be checked with the cooperation of the signer. However, the protocol is such that the signer cannot cheat and try to deny a valid signature (hence the name). This could be used by manufacturers to authenticate their products only to certain customers; for example, to customers who have paid for them. This might be especially useful for software, although Tim's idea would extend it to any object for which the authentication is especially valuable. PGP is distributed signed by Phil Zimmermann using an ordinary digital signature. This allows anyone to verify that it is a good package, free of viruses or trap doors. If it instead had an undeniable signature, this verification would require interacting with Phil (or his agent) via a protocol; but at the end the same assurance would result. This kind of signature would be more appropriate with a payware product. Undeniable signatures cannot be passed on from one person to another. If Alice verifies Bob's undeniable signature, she can't prove to Charlie that the signature is good. She can claim it is good, and assure Charlie that it is good based on her own reputation, but Charlie can in general not be convinced unless he verifies it himself directly with Bob. Hal