Quoting Portions of a Signed Document
-----BEGIN PGP SIGNED MESSAGE----- It would be neat if you could quote people and prove that they signed the particular paragraph quoted without supplying the entire text. Is there a way to do this? (It seems impossible, but so does mental poker.) A crude approach would be to sign every paragraph or line separately, but that's obviously inelegant. Monty Cantsin Editor in Chief Smile Magazine http://www.neoism.org/squares/smile_index.html http://www.neoism.org/squares/cantsin_10.htm -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBNHscCpaWtjSmRH/5AQHlUAf+MgXC6uKGn+EMsOzw9wumJeYdjNWYTlnl IxaksIHa2o1HL88GZlrve7F3lATOM1IpDlZIIwe56rGZzqTQci+ImMIG3kqKWyTE 6NjtTqKY0Qr028MsudhVE+RwTvUIzbsi+6Qh4wJo+AzfEmnKlMkPHBxMmgem/+sQ Cm3PasUW91N6xakkoR/M9x6ZtJ8MlAAI1C460LIndzV2DqxnFnyNs9cCxVYaZ+FQ BMK8Mwf8EXhnSrfv6CQ3oKgi8cO1jd0FHyLr7uYQ8n0HWWMMcC06k3rYyo8EXInc WyJ/oeuSewhQjTumrPn5e3+aP55k3IzttBhE2TQy6tBX9r1nX7fVVg== =feAO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- In <199711252109.WAA05443@basement.replay.com>, on 11/25/97 at 10:09 PM, nobody@REPLAY.COM (Anonymous) said:
-----BEGIN PGP SIGNED MESSAGE-----
It would be neat if you could quote people and prove that they signed the particular paragraph quoted without supplying the entire text. Is there a way to do this? (It seems impossible, but so does mental poker.)
A crude approach would be to sign every paragraph or line separately, but that's obviously inelegant.
Well this could be done by creating a document signature and then a collection of sub signatures but it can get ugly real quick. What level of granularity does one use for the sub signature? Paragraph: Contentious block of text separated by a line of white space. Line: Block of text ending with a CRLF. Word: Block of text separated by a white space. Then what does the sub signature really tell you? Yes you can verify that the quote was written by someone but it may be taken completely out of context. How about when several blocks of text from different messages are combined. Each individual block checks out but by combining them the text has a completely different meaning than the original document. The best thing right now is for a user to lookup the referring document in the archives and verify the signature. It also give him the advantage of reading the quote in its full context. In an environment where a public archive of messages are not available then other means of obtaining the source document are available (contact the original author, contact the person quoting the original document). In some environments it may be beneficial to attach the original document to the message when sending. Considering that a signed quote would require the Author to format his signatures in this way I for one would not do so nor could I see a reason for doing so. Side Note: The above is in reference to small documents and E-Mail. In large documents it may be desirable to sign every page or sign each chapter in addition to signing the entire document. A case may be made for subsignatures in a E-Mail message in which there are separate signatures for the text of a message and accompanying attachments. In both cases there should be a meta-signature that covers the entire document. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNHtZx49Co1n+aLhhAQHXQwQAk7Hp9DvNflJ8ODmixKps9tJuuKM8ARTl fioJxApL+f0xORgcMtfBoD76lCV/heh7KaDO81zg9WfGv7J5bcHHgPv0PTxX8mrx cFxsAX4x+M3meIRNZ2vAEmmy5mKiXNds5y4+w3mgC1/Bi3L4QNGWEqgwPzAehwHn KFwbtj+MY34= =9sOU -----END PGP SIGNATURE-----
It would be neat if you could quote people and prove that they signed the particular paragraph quoted without supplying the entire text. Is there a way to do this?
Yes. To do it using standard proggies, hash each of your paragraphs and put the results in a PGP-signed message. Quoter provides signature and signed hashes. Reader hashes your quoted paragraph and checks the signed message to see if it was one of the original paragraphs. So simple I can do it. :) [Disclaimer: I think.] A more cool-sounding solution would be to concatenate those hashes and sign them (not a hash of them) as one packet. Since RSA sigs are secret-key decryptions (right?), the reader can re-encrypt it and check any individual hash. Not more secure, though, and it takes a lot of processor time. No idea how to do it with bit-level granularity.
(It seems impossible, but so does mental poker.)
Mental poker? Easy.
A crude approach would be to sign every paragraph or line separately, but that's obviously inelegant.
Allows you a tad too much freedom with their quotes, too...
Monty Cantsin Editor in Chief Smile Magazine http://www.neoism.org/squares/smile_index.html http://www.neoism.org/squares/cantsin_10.htm
--------------------------------------------------------------------------- Randall Farmer rfarmer@hiwaay.net http://hiwaay.net/~rfarmer
It would be neat if you could quote people and prove that they signed the particular paragraph quoted without supplying the entire text. Is there a way to do this? (It seems impossible, but so does mental poker.)
Assuming that they digitally signed the entire document, simply put it on the web, quote the part you want and reference the original signed peice in the message.
Cantsin> A crude approach would be to sign every paragraph Cantsin> or line separately, but that's obviously inelegant.
Geiger> Well this could be done by creating a document signature Geiger> and then a collection of sub signatures but it can get ugly real quick.
Creating chains of hashes lets you do this without having to do signatures on each piece - you just sign the hash at the end. So you'd create hash_page_1 = hash( hash(page_1_para_1), hash(page_1_para_2)...) hash_final = hash( hash_page_1, hash_page_2, ... ) sign( hash_final, signaturekey ) or whatever hierarchy you like, and to demonstrate you've got page_2_para_2 correctly, you provide the hashes for all the page, and the hashes for all the paragraphs on page 2. But then Geiger brings out the other important point:
Then what does the sub signature really tell you? Yes you can verify that the quote was written by someone but it may be taken completely out of context. How about when several blocks of text from different messages are combined. Each individual block checks out but by combining them the text has a completely different meaning than the original document.
Thanks! Bill Bill Stewart, stewarts@ix.netcom.com Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
On Tue, 25 Nov 1997, Anonymous wrote:
A crude approach would be to sign every paragraph or line separately, but that's obviously inelegant.
Or use a MIME attachment to store secure hashes (heck, these could even be CRC32's if you're not too paranoid which you could pack into 5 bytes of ascii or something) of each of the lines in the body, then a valid signature of all the hashes at the end. When you reply to such a message, you'll need to reattach the hash attachment to the reply along with some sort of translation table that says line 20 in this message is quoted from line 502 in the original. You'll also need some way to do quotes that won't interfere with the hash testing... maybe using block quotes such as :Begin_Quote text :End_Quote or delete the ">" chars. But you'll get in trouble with auto text justifications... i.e. reply signature mime attachment: *Quoted Lines used: 15=234, 16=235, 17=236, etc... *From Original Mime attachment: *Begin body hashes line1hash line2hash line3hash line4hash line5hash.... lineNhash *Begin body hash signature slkdjflskdjfjsdlfjsdlf *End signature Or when you quote the message, you could have the begin_quote blocks have the line translation in them. If you don't mind shoving HTML in the text, the begin quote blocks in the body of the reply could include the line number. i.e. (using square brackets so those using HTML readers will see this.) [Strong][QuoteLine55-69] text_of_lines55-69_from_original_message_here. [/QUOTE][/Strong] Problem with this scheme: But, then what do we do about quoted quotes from the reply of the reply???? We could recurse the stuff through, but then deep replies will have a large number of attachments if we chose to retain them... Possible solution, don't keep quoted quote signatures, or just keep the message id's of them so they can be verified from an archive server or something... While you will need special mailer clients to decode the attachments and verify the quotes, you still want some compatibility with regular mail clients... =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
participants (6)
-
Bill Stewart -
nobody@REPLAY.COM -
Randall Farmer -
Ray Arachelian -
snow -
William H. Geiger III