[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Confusion regarding "Authority-stamp-signatures"

To: <ietf-pkix@xxxxxxx>
Subject: Confusion regarding "Authority-stamp-signatures"
From: "Hans Nilsson" <hnn@xxxxxxxxxxxxxx>
Date: Sun, 15 Dec 2002 10:24:18 +0100
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Dear all,

For SHS, I think the explanation is very simle: the digital signature
mechanism is used to provide data integrity and origin authentication
for the sending organization, and has nothing to do with binding
approval of the document (a.k.a non-repudiation). It's just the
electronic counterpart to the paper and its letter-head. In Sweden we
now call this "electronic stamp".

Once again people (and this time Jimi and Anders are the guilty ones :-)
make the direct association from the word "signature" to meaning
"willful act" or "non-repudiation", terms which we by now, after many
years of discussion, all agree we never will be able to define in
technical terms.

During the last year, someone (and I dont remember who) said
approximately that "the person who in the 70s coined the term
"signature" for the mechanism of "RSA-transformation with a private key"
made a great disservice to the PKI community, since it ever since then
has been a source of great confusion". Could the name of the culprit be
hidden in the famous initials DH or RSA? And could the author of the
statement above plese make himself visible so I can cite him correctly
in the future?

Please remember: Digital signature (ouch!) is just a technical
mechanism, that can be used for a large variety of services...

Hans


-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Anders Rundgren
Sent: Saturday, December 14, 2002 6:06 PM
To: Jimi Thompson; ietf-pkix@xxxxxxx
Subject: Re: e-Government uses "Authority-stamp-signatures"



Jimi,

>In order to establish non-repudiation, won't you need the signature of 
>a person and not just proof that the email passed through a specific 
>server?

I hope you can apologize me, but I have a very simplistic way of looking
at repudiation of  signed messages that goes as follows:

- Personal signature: "I haven't sent that message!"
- Organization/server-based signature: "WE haven't sent that message!"

As not a single such event has so far been publicly documented, it is
really all up to pure speculation,  but I can't see that the technical
processes or the rather unlikely legal processes needed to clear up the
two cases above will differ at all.  In spite of the literally "eons" of
time spent on creating digital signature laws.

Well, if there _is_ a difference, I believe that the
organization-variant will prove to be easier to resolve, as archiving,
user authorization, time-stamping, etc. is built-in into the very core
of the architecture of such systems!

There are people who believe that the scheme represented by SHS is a
"Quick and dirty" solution.  I would rather claim that this is a
flexible "Mammal" given its unlimited extensibility with respect to PKI,
while static schemes like the US Federal PKI  seems more related to
"Dinosaurs", just waiting for extinction.

cheers,
Anders

Follow-Ups:
- Re: Confusion regarding "Authority-stamp-signatures"
  - From: Anders Rundgren

References:
- Re: e-Government uses "Authority-stamp-signatures"
  - From: Anders Rundgren

Prev by Date: RE: e-Government uses "Authority-stamp-signatures"
Next by Date: NR-issues. Was: e-Government uses "Authority-stamp-signatures"
Previous by thread: Re: e-Government uses "Authority-stamp-signatures"
Next by thread: Re: Confusion regarding "Authority-stamp-signatures"
Index(es):
- Date
- Thread