Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)
Nathaniel Borenstein
nsb at nsb.fv.com
Tue Jan 30 08:38:41 PST 1996
Excerpts from mail: 29-Jan-96 Re: Signature use and key t..
Futplex at pseudonym.com (2183*)
> In my world, "you" == nsb at nsb.fv.com, and hence "your key" == the key I could
> fetch from nsb+faq at nsb.fv.com.
Right, absolutely. But let's face it, by now you believe it's me
anyway, or the real nsb at nsb.fv.com would have spoken up and argued with
me. On the other hand, if I start routinely PGP-signing email, then
the value of slowly brute-force cracking my private key goes way up. If
FV is successful, for example, you could spend a few years breaking my
key, and then forge apparently-slanderous signed mail from me to you as
part of a lawsuit. This would be far more believable, in a court of
law, if I routinely signed everything than if I didn't.
I don't routinely sign things because I think it is asking for problems
with retrospective forgery down the road. I might, however, consider
routinely signing things once I can easily incorporate a digital
timestamping service like the one from Surety into my signature.
> FWIW, I have lost a great deal of respect for you today
I sincerely hope that you will gain it back when you realize that not
all "hype" is without substance, and that we really have unveiled a
genuine, previously-unrecognized, and extremely important flaw in
commercial mechanims that purport to offer security through the software
encryption of credit card numbers. -- Nathaniel
--------
Nathaniel Borenstein <nsb at fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com
More information about the cypherpunks-legacy
mailing list