CDR: Re: Non-Repudiation in the Digital Environment (was Re: First Monday August 2000)
Arnold G. Reinhold
reinhold at world.std.com
Thu Oct 19 13:58:09 PDT 2000
At 10:23 AM -0700 10/18/2000, Ed Gerck wrote:
>"Arnold G. Reinhold" wrote:
>
>> At 11:21 AM -0700 10/17/2000, Ed Gerck wrote:
>> >As Tony Bartoletti wrote, apologies for what seems a rant, but the "solid
>> >mathematical foundations" underlying digital signatures, "Qualified
>> >Certificates",
>> >unmistakable IDs, biometrics and so forth create in me a degree of "psychic
>> >and social backlash" as well.
>>
>> As well it should. There is a big difference between "can we do it?"
>> and "should we do it?"
>>
>> One other point, and let me shift to upper case for this one: THERE
>> ARE NO "SOLID MATHEMATICAL FOUNDATIONS" FOR ANY OF THIS STUFF!!!!!
>> THE DIFFICULTY OF BREAKING PUBLIC KEY SYSTEMS HAS NEVER BEEN PROVEN
>> MATHEMATICALLY.
>
>Yes, that is why Tony's remark was somewhat tongue-in-cheek and used
> "solid mathematical foundations" within quotes.
Eye twinkle doesn't come across in e-mail, I'm afraid. My apologies
to Tony. This is obviously one of my hot buttons.
>
>> It is all hypothesis and empirical argument. A lone
>> mathematician working in his attic could come up with an algorithm
>> that would blow some or all of the existing systems out of the water.
>> Who get to cover that financial risk?
>
>The buyer. CAs (read Verisign's CPS or any CA's CPS, or bank contracts
>and -- above all -- see the US UCC) are not responsible for producing correct
>results but just for using correct methods. Where "correct methods" are
>what others consider correct -- even if they are proved wrong later on
>by a one mathematician working in his attic.
>
I'm not sure those contracts would stand up in court if there were
massive public losses due to a collapse of the PKI. (Anyway CA CPS's
stretch to notion of a "mutual agreement" pretty far. I purchase a
$10 cert and am bound by over 100 pages of gobbldygook that only a
handful of people on the planet can be expected to fully understand?)
But I am less concerned with CA legal liability then with who is left
holding the bag when a massive subversion of the banking system is
perpetrated, and how big that could be.
Arnold Reinhold
More information about the cypherpunks-legacy
mailing list