1993-10-26 - Re: Apple, AOCE, and key pair security
Header Data
From: catalyst@netcom.com (Scott Collins)
To: cypherpunks@toad.com
Message Hash: 2978f1a135b09d3e000d14f9dbe465b05dff44ed5fd678d9593c35ef31fb47bd
Message ID: <9310260144.AA15492@newton.apple.com>
Reply To: N/A
UTC Datetime: 1993-10-26 01:50:41 UTC
Raw Date: Mon, 25 Oct 93 18:50:41 PDT
Raw message
From: catalyst@netcom.com (Scott Collins)
Date: Mon, 25 Oct 93 18:50:41 PDT
To: cypherpunks@toad.com
Subject: Re: Apple, AOCE, and key pair security
Message-ID: <9310260144.AA15492@newton.apple.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
- From the MacWeek article:
>validity. To get your own digital signature from RSA, you take a form to
>a notary public, who verifies your identity, notarizes the information
>on the form, and then mails the form to RSA.
The form contains your name, address, etc, and a printout of your public key.
>Based on the notary
>public's authority to say you are who you claim to be, you eventually
>receive a disk in the mail with your personal electronic signature.
_Not_. The disk contains a PEM style certificate, authenticating your
public key. On your local machine, where you generated your private key,
is a file (your private key) called a signer. This file is your private
key + software to make it sign things, so the whole thing is a self
contained application -- but it refused to function until you bind it to a
certificate.
>Your
>electronic signature has a two-year expiration date, and includes some
>verification information.
Certificate, not signature, just like RSA has been trying to sell them all
along.
>If someone wants to make sure your signature
>is valid, he or she contacts the issuing authority listed in the
>certificate.
Wrong again. Validation occurs locally because an entire chain of
certificates is provided in the signature
>There will be issuing authorities other than RSA. For
>example, Apple Computer's security department plans to issue signatures
>to all Apple employees with employee badges."
Not signatures, certificates.
All key generation takes place locally. RSA does not generate the keys.
These articles are a woeful misrepresentation by over simplification. I
will happily provide clarification to the authors if they call me.
If anyone wants, I will demonstrate this software at the next Bay Area
cypherpunks meeting.
Scott Collins | "Few people realize what tremendous power there
| is in one of these things." -- Willy Wonka
......................|................................................
BUSINESS. voice:408.862.0540 fax:974.6094 collins@newton.apple.com
Apple Computer, Inc. 5 Infinite Loop, MS 305-2B Cupertino, CA 95014
.......................................................................
PERSONAL. voice/fax:408.257.1746 1024:669687 catalyst@netcom.com
-----BEGIN PGP SIGNATURE-----
Version: 2.3
iQCVAgUBLMw0nSmBKTQiZpaHAQFWOwQAqnD+C7cO0XDzCrbh7hxjzTSDEhbbtxZZ
B4+dXNghqSSI24c+T8FZC/gwBIhDq4Q1z0iEml2d84VcFZoHdLJL2Vi803go179E
86uwlggClAPVT+vhqE/LG7NrOC7+r8gTBk5S4gi5fX4hCkMQXdjcNOaWvgQ/slOF
XbH+g4vjhF8=
=Kn0e
-----END PGP SIGNATURE-----
Thread
Return to October 1993
Return to “catalyst@netcom.com (Scott Collins)”
1993-10-26 (Mon, 25 Oct 93 18:50:41 PDT) - Re: Apple, AOCE, and key pair security - catalyst@netcom.com (Scott Collins)