An update on MS private key (in)security issues

William H. Geiger III whgiii at invweb.net
Sat Feb 7 20:38:51 PST 1998



-----BEGIN PGP SIGNED MESSAGE-----

In <88650932615058 at cs26.cs.auckland.ac.nz>, on 02/04/98 
   at 01:35 AM, pgut001 at cs.auckland.ac.nz (Peter Gutmann) said:

>The implications of that last point can be quite serious.  Take for
>example the Utah digital signature act, which was used as a model by a
>number of other states who implemented or are implementing digital
>signature legislation. Under the Utah act, digitally signed documents are
>given the same evidentiary weight as notarised documents, and someone
>trying to overcome this has to provide "clear and convincing evidence"
>that the document is fraudulent, which is difficult since it bears a
>valid signature from the users key (this fact has been used in the past
>to criticise digital signature laws based on this act). In addition,
>under the Utah act and derived acts, anyone who loses their private key
>bears unlimited liability for the loss (in contrast, consumer liability
>for credit card loss is limited to $50).  This leads to the spectre of a
>malicious attacker who has the ability to issue notarised documents in
>your name for which you carry unlimited liability.  This is a lot more
>important than someone reformatting your hard drive, or stealing last
>months sales figures.

I have raised concerns in the past over the rush to pass Digital Signature
Laws in various states. These laws have not been well though out nor did
they stand the rigors of peer-review of the crypto community before they
were passed into law. IIRC one of the states considered *encryption* alone
to be a *legal* signature!!!

I will not be using digital signatures for anything other than
authentication of messages. For legal documents I will stick to the old
fashion pen and paper with witnesses and a notary.

Just as a side note: Micro$loth is unfit to secure an outhouse let alone
somthing as important as network and data security (are these fools still
claiming C2 for NT?). I have never seen such overwhelming incompetence and
complete arrogance than what is centered in Redmond (IBM may be arrogant
but at least they are technically competent). 

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://users.invweb.net/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------
 
Tag-O-Matic: Windows?  WINDOWS?!?  Hahahahahehehehehohohoho...

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNNcZF49Co1n+aLhhAQHZGAP/d5qdnlJYEt6uXh2srSf2ELc4rAle9aX5
p49t7PgGIaCpMY8YIYsFS5+nFoeHwUmlBNrEvUJQoQ2jrEgUp7B7Xv+VZB38qLma
L0oeyICDe7bw6iMjKJ88gsqcHSghPhu7qhSI68e7CffwBWDh3N4Uc5PMQSMzztLZ
GdKH6QmvN7k=
=NV74
-----END PGP SIGNATURE-----







More information about the cypherpunks-legacy mailing list