[plug] Was bun fight about "bad" words.

Paul Wilson hooker at opera.iinet.net.au
Mon Apr 1 21:13:12 WST 2002


bob wrote :
> On Mon, 2002-04-01 at 19:22, Mark Dixon wrote:
> > I have no interest in arguments about which words are "bad" words and
which ones are "good" words
> > (which seems to be how this particular thread started).
> >
> > However, Paul posited: "The point about the Net, as most of us know
quite well, is that there is no
> > proof of provenance for email anyway."
> >
> > There may not be "proof of provenance for email", but it is possible to
provide fairly convincing
> > evidence.  For example:  I am Mark Dixon.  The digital signature
attached to this e-mail attests to
> > that and links my name to my e-mail.  The certificate has been notarised
by four people in a "web of
> > trust" who met me in person and validated my personal identity documents
to give that notarisation
> > convincing validity.
>
> Oh dear, my email app says...
>
> This message is digitally signed but can not be proven to be authentic.
>
> Your web of trust has let you down because I don't know you or any of
> your notaries.
>
> Besides, even if I had personally authenticated your digital signature,
> being from you, how am I to tell that you had not be coerced or fooled
> into signing the document.
>
> Bruce Schneier of Counterpane Internet Security, Inc. has an interesting
> piece on "Why Digital Signatures Are Not Signatures" at
> http://www.counterpane.com/crypto-gram-0011.html
>
> Basically it says you can authenticate all you like that the "digital
> signature" is supposed to belong to you. Nothing about it says you were
> the one to apply it to the message.
>
> So we're back to char stings meaning nothing as identity, only
> consistent behaviour over a period of time. How have "they" behaved to
> you or others in your dealings with "them". Are they trollish, do they
> flame excessively etc etc. I'm sure you get the idea :).

Absolutely. A web of trust is not a digital signature, neither is it proof
of origination. Of course, my analog signature on a letter isn't proof of
much without external supporting evidence either, so let's not get too
flustered here.

Bruce Schneider's piece is one of the clearest comments on the
not-always-recognised problems with digital signatures that I've seen.

The Hooker




More information about the plug mailing list