From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 3 Feb 1996 18:19:02 +0800
To: Nathaniel Borenstein <nsb@nsb.fv.com>
Subject: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit
Message-ID: <199602030951.BAA12305@ix2.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 05:30 PM 1/29/96 -0500, Nathaniel wrote:

>Have you downloaded my key from the net?  Assume that you have.  How do
>you know it's mine?
>
>I use PGP about 20 times per day.  I use it in a manner that is
>*meaningful*.  Unless we have in some way or another verified each
>others' keys, it is meaningless for me to sign a message to you. 
>Putting a PGP signature on a message to someone who has no way of
>verifying your keys is a nice political statement, but is utterly
>meaningless in terms of adding any proof of the sender's identity.  --

We have this discussion around here occasionally; one thing it does
is allows somebody to know that different messages were from the
_same_ person, whether that person is using a purported True Name
or an outright alias.  Another thing it does is allows you to demonstrate,
if need be, that you have the keys that were used to sign a message,
by signing another message with the same key, and optionally by
doing the Web Of Trust thing to validate your identity to someone.
I'm not aware that anyone's actually _done_ this in court,
but Utah and maybe other states have laws recognizing the validity of
digital signatures, and other courts could at least accept it along
with the usual Expert Witnesses.

Obviously it doesn't let you prove that an unsigned message isn't from you,
but that's pretty tough without requiring all messages to be
signed with your True Nationalist-ID-Card Is-A-Citizen Key.

#--
#				Thanks;  Bill
# Bill Stewart, stewarts@ix.netcom.com, Pager/Voicemail 1-408-787-1281
# http://www.idiom.com/~wcs