CDR: RE: Schneier: Why Digital Signatures are not Signatures (was Re :CRYPTO-GRAM, November 15, 2000)
there are issues about authentication ... like conceptual frame-works of something you have, something you know, and something you are. it is possible to put together digital signature authentication technology/frame-works involving digital signature that are dependent on one or more pieces of 3-factor authentication. legal "signatures" as indication of intent have involved issues like counterfeit and understanding (and various regulations about font-sizes, wording, different expectations about prudent person, etc). a digital signature, once executed is a lot harder to counterfeit (compared to various written signatures) ... however there is much less direct correlation between intention and the act of executing a digital signature. digital signature in conjunction with various process that can proove that every digital signature executed was directly dependant on various combinations of 3-factor authentication (for each and every digital signature executed) attempts for a tighter correlation and demonstrate some degree of actual binding (between intention and signature execution). however, they also introduce new technology challenges ... there is now a significantly wider gap between the presentation of the information that a person may be agreeing to ... and the actual representation that is involved in executing digital signatures. paper documents also have had the advantage that the presentation of the information and the signature application is nearly identical technology .... much closer binding between the representation of what is being agreed to and the method of indicating that agreement. There are not a whole lot of cases where as the person is using a pen to sign a specific piece of paper ... that the pen can wonder off and sign a totally different piece of paper (like radar getting week-end passes signed in the MASH show). So the understanding issue pretty much stays the same in both environments (digital signature and paper signature) ... digital signatures (in conjunction with the appropriate authentication framework) can reduce the instances of counterfeit signatures being applied to documents ... but also opens up the instances where what a person is presented isn't necessarily what the person is signing. So one issue might be ... all other factors being equal ... is the magnitude of any counterfeit reduction significantly greater than the increase in the "what you see is what you sign" problem and the "did the person actually intend/confirm that particular signature" problem. "Paul Kierstead" <paul.kierstead@alcatel.com> on 11/17/2000 06:09:02 AM Please respond to paul.kierstead@alcatel.com
Lynn.Wheeler@firstdata.com wrote:
there are issues about authentication ... like conceptual frame-works of something you have, something you know, and something you are.
No, no! Don't go there! I am fond of the things that I am and do not want to encourage people to steal bits of me. Two ways is enough for me, unless you can think of a third way that means I get to keep my fingers and eyes. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
participants (2)
-
Ben Laurie
-
Lynn.Wheeler@firstdata.com