From: Hal <hfinney@shell.portal.com>
Date: Wed, 23 Feb 94 13:49:02 PST
To: cypherpunks@toad.com
Subject: Re: Digitally Signing Physical Objects
Message-ID: <199402232149.NAA06130@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Tim has an interesting point on the use of digital signatures.

A variation is to use an "undeniable" signature.  This is a signature which
can only be checked with the cooperation of the signer.  However, the protocol
is such that the signer cannot cheat and try to deny a valid signature
(hence the name).  This could be used by manufacturers to authenticate
their products only to certain customers; for example, to customers who have
paid for them.

This might be especially useful for software, although Tim's idea would
extend it to any object for which the authentication is especially valuable.
PGP is distributed signed by Phil Zimmermann using an ordinary digital
signature.  This allows anyone to verify that it is a good package, free
of viruses or trap doors.  If it instead had an undeniable signature, this
verification would require interacting with Phil (or his agent) via a
protocol; but at the end the same assurance would result.  This kind of
signature would be more appropriate with a payware product.

Undeniable signatures cannot be passed on from one person to another.
If Alice verifies Bob's undeniable signature, she can't prove to Charlie
that the signature is good.  She can claim it is good, and assure Charlie
that it is good based on her own reputation, but Charlie can in general not
be convinced unless he verifies it himself directly with Bob.

Hal