Hi, I was pondering the security issues regarding signed documents and key security. It occured to me that in all the discussion it is assumed that the document is transmitted after the key is transmitted. It seems to be that a higher level of security could be obtained by submitting the signed document first and then submit the signing key. This way when the document goes out Mallet has no idea what key to replace and any fudging of the document will destroy the sign. Then when the key goes out if it is replaced the document won't pass testing either since the server already has a unmod'ed copy. In short, instead of having each author have a signing key, have each document have a signature key and always submit the signed document prior to the signing key. After all it's the document and not the author (who we assume is already using an anonymous submission mechanism) we wish to verify from the end users perspective. The mechanims provides a means for the data haven server to verify the authenticity of the document and this allows them to pass that trust on to the end user in the same sort of way. ____________________________________________________________________ | | | The most powerful passion in life is not love or hate, | | but the desire to edit somebody elses words. | | | | Sign in Ed Barsis' office | | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http://www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|