CDR: Re: Schneier: When is a Signature not a Signature? When it's a chad.

Declan McCullagh declan at well.com
Thu Nov 16 17:10:36 PST 2000 

pth at ibuc.com?

On Thu, Nov 16, 2000 at 01:37:37PM -0500, R. A. Hettinga wrote:
> 
> --- begin forwarded text
> 
> 
> Date: Thu, 16 Nov 2000 10:09:43 -0800
> From: Somebody
> Reply-To: pth at ibuc.com
> To: "R. A. Hettinga" <rah at shipwright.com>
> Subject: Re: Schneier: When is a Signature not a Signature? When it's a chad.
> 
> Bruce falls into the same error he points out: attempting
> to devine intent rigorously.  In fact there lots of ways
> humans have agreed to evidence agreement, and none of
> them are tamper proof.  Much of the corporate
> world runs on electronically printed signatures for checks,
> there is a long and illustreous history of signet rings and
> carved chops being used as contractual evidence...  His
> argument is equivalent to saying that we should not accept
> a corporate check because the computer room could
> have been hacked, or that King X should not accept the
> seal of King Y because his nemesis might have snuck in
> at night and borrowed it from his finger while he slept,
> or that Wu-san's chop had been copied by an expert
> carver.  (and I'm certain such events have in fact occurred.)
> 
> I think his only valid point is that digital signatures are
> not somehow better.  What they do provide are
> 1) an interesting possibility for _remote_ contracting, and
> 2) a way for computing machinery to do things analogous
> to humans contracting with each other.
> Both of these are important and will likely yield lots of
> exciting new applications.
> 
> Bruce should keep in mind that the Digital Signature Law
> recently enacted basically says that no signature will be
> deemed invalid _purely_ because it is electronic in nature.
> It doesn't say that computation of m^e mod n constitutes
> Alice's intent to sign.  It does say that if Alice and Bob
> agree to use such a digital mechanism to evidence intent,
> then they may.
> 
> And just as we are learning this week that a "vote" is
> a more ambiguous concept than we may have intuitively
> thought, a "signature" has _never_ been a black-and-white
> expression of human intent, simply one piece of evidence
> in a sometimes cluttered, occasionally fraudulent, and
> always contestable world.
> 
> "R. A. Hettinga" wrote:
> 
> > At 5:58 PM -0600 on 11/15/00, Bruce Schneier wrote:
> >
> > >     Why Digital Signatures Are Not Signatures
> > >
> > >
> > >
> > > When first invented in the 1970s, digital signatures made an amazing
> > > promise: better than a handwritten signature -- unforgeable and uncopyable
> > > -- on a document.  Today, they are a fundamental component of business in
> > > cyberspace.  And numerous laws, state and now federal, have codified
> > > digital signatures into law.
> > >
> > > These laws are a mistake.  Digital signatures are not signatures, and they
> > > can't fulfill their promise.  Understanding why requires understanding how
> > > they work.
> > >
> > > The math is complex, but the mechanics are simple.  Alice knows a secret,
> > > called a private key.  When she wants to "sign" a document (or a message,
> > > or any bucket of bits), she performs a mathematical calculation using the
> > > document and her private key; then she appends the results of that
> > > calculation -- called the "signature" -- to the document.  Anyone can
> > > "verify" the signature by performing a different calculation with the
> > > message and Alice's public key, which is publicly available.  If the
> > > verification calculation checks out then Alice must have signed the
> > > document, because only she knows her own private key.
> > >
> > > Mathematically, it works beautifully.  Semantically, it fails
> > > miserably.  There's nothing in the description above that constitutes
> > > signing.  In fact, calling whatever Alice creates a "digital signature" was
> > > probably the most unfortunate nomenclature mistake in the history of
> > > cryptography.
> > >
> > > In law, a signature serves to indicate agreement to, or at least
> > > acknowledgment of, the document signed.  When a judge sees a paper document
> > > signed by Alice, he knows that Alice held the document in her hands, and
> > > has reason to believe that Alice read and agreed to the words on the
> > > document.  The signature provides evidence of Alice's intentions.  (This is
> > > a simplification.  With a few exceptions, you can't take a signed document
> > > into court and argue that Alice signed it.  You have to get Alice to
> > > testify that she signed it, or bring handwriting experts in and then it's
> > > your word against hers.  That's why notarized signatures are used in many
> > > circumstances.)
> > >
> > > When the same judge sees a digital signature, he doesn't know anything
> > > about Alice's intentions.  He doesn't know if Alice agreed to the document,
> > > or even if she ever saw it.
> > >
> > > The problem is that while a digital signature authenticates the document up
> > > to the point of the signing computer, it doesn't authenticate the link
> > > between that computer and Alice.  This is a subtle point.  For years, I
> > > would explain the mathematics of digital signatures with sentences like:
> > > "The signer computes a digital signature of message m by computing m^e mod
> > > n."  This is complete nonsense.  I have digitally signed thousands of
> > > electronic documents, and I have never computed m^e mod n in my entire
> > > life.  My computer makes that calculation.  I am not signing anything; my
> > > computer is.
> > >
> > > PGP is a good example.  This e-mail security program lets me digitally sign
> > > my messages.  The user interface is simple: when I want to sign a message I
> > > select the appropriate menu item, enter my passphrase into a dialog box,
> > > and click "OK."  The program decrypts the private key with the passphrase,
> > > and then calculates the digital signature and appends it to my
> > > e-mail.  Whether I like it or not, it is a complete article of faith on my
> > > part that PGP calculates a valid digital signature.  It is an article of
> > > faith that PGP signs the message I intend it to.  It is an article of faith
> > > that PGP doesn't ship a copy of my private key to someone else, who can
> > > then sign whatever he wants in my name.
> > >
> > > I don't mean to malign PGP.  It's a good program, and if it is working
> > > properly it will indeed sign what I intended to sign.  But someone could
> > > easily write a rogue version of the program that displays one message on
> > > the screen and signs another.  Someone could write a Back Orifice plug-in
> > > that captures my private key and signs documents without my consent or
> > > knowledge.  We've already seen one computer virus that attempts to steal
> > > PGP private keys; nastier variants are certainly possible.
> > >
> > > The mathematics of cryptography, no matter how strong, cannot bridge the
> > > gap between me and my computer.  Because the computer is not trusted, I
> > > cannot rely on it to show me what it is doing or do what I tell it
> > > to.  Checking the calculation afterwards doesn't help; the untrusted
> > > computer can't be relied upon to check the calculations properly.  It
> > > wouldn't help to verify the code, because the untrusted computer is running
> > > the code (and probably doing the verification).  It wouldn't even help to
> > > store the digital signature key in a secure module: the module still has to
> > > rely on the untrusted computer for input and output.
> > >
> > > None of this bodes well for digital signatures.  Imagine Alice in court,
> > > answering questions about a document she signed.  "I never saw it," she
> > > says.  "Yes, the mathematics does prove that my private key signed the
> > > document, but I never saw it."  And then an expert witness like myself is
> > > called to the stand, who explains to the judge that it is possible that
> > > Alice never saw the document, that programs can be written to sign
> > > documents without Alice's knowledge, and that Alice's digital signature
> > > doesn't really mean anything about Alice's intentions.
> > >
> > > Solving this problem requires a trusted signing computer.  If Alice had a
> > > small hand-held computer, with its own screen and keyboard, she could view
> > > documents on that screen and sign them with that keyboard.  As long as the
> > > signing computer is trusted, her signatures are trusted.  (But problems
> > > remain.  Viewing a Microsoft Word document, for example, generally involves
> > > the very software most responsible for welcoming a virus into the
> > > computer.)  In this case we're no longer relying on the mathematics for
> > > security, but instead the hardware and software security of that trusted
> > > computer.
> > >
> > > This is not to say that digital signatures are useless.  There are many
> > > instances where the insecurities discussed here are not relevant, or where
> > > the dollar value of the signatures is small enough not to warrant worrying
> > > about them.  There are also instances where authenticating to the signing
> > > computer is good enough, and where no further authentication is
> > > required.  And there are instances where real-world relationships can
> > > obviate the legal requirements that digital signatures have been asked to
> > > satisfy.
> > >
> > > Digital signatures prove, mathematically, that a secret value known as the
> > > private key was present in a computer at the time Alice's signature was
> > > calculated.  It is a small step from that to assume that Alice entered that
> > > key into the computer at the time of signing.  But it is a much larger step
> > > to assume that Alice intended a particular document to be signed.  And
> > > without a tamperproof computer trusted by Alice, you can expect "digital
> > > signature experts" to show up in court contesting a lot of digital
> > >signatures.
> > >
> > > Comments on the new federal digital signature law:
> > > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2635346,00.html>
> > > (multipage, don't miss the others)
> > > <http://www4.zdnet.com:80/intweek/stories/news/0,4164,2634368,00.html>
> > > <http://www.infoworld.com:80/articles/hn/xml/00/10/02/001002hnesign.xml>
> > > <http://www.pioneerplanet.com/tech/tcv_docs/028992.htm>
> > >
> > > A survey of laws in various states and countries:
> > > <http://rechten.kub.nl/simone/DS-LAWSU.HTM>
> >
> > --
> > -----------------
> > R. A. Hettinga <mailto: rah at ibuc.com>
> > The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> > 44 Farquhar Street, Boston, MA 02131 USA
> > "... however it may deserve respect for its usefulness and antiquity,
> > [predicting the end of the world] has not been found agreeable to
> > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
> 
> --- end forwarded text
> 
> 
> -- 
> -----------------
> R. A. Hettinga <mailto: rah at ibuc.com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
>

More information about the cypherpunks-legacy mailing list