1996-01-30 - Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)

Header Data

From: Nathaniel Borenstein <nsb@nsb.fv.com>
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Message Hash: dd062fda7564b22ae020ad24098678856edf504fe645f58fccd3f295f258ea44
Message ID: <El3X_NGMc50e1Ir2Vs@nsb.fv.com>
Reply To: <199601300431.XAA23839@opine.cs.umass.edu>
UTC Datetime: 1996-01-30 16:38:41 UTC
Raw Date: Wed, 31 Jan 1996 00:38:41 +0800

Raw message

From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Wed, 31 Jan 1996 00:38:41 +0800
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)
In-Reply-To: <199601300431.XAA23839@opine.cs.umass.edu>
Message-ID: <El3X_NGMc50e1Ir2Vs@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain

Excerpts from mail: 29-Jan-96 Re: Signature use and key t..
Futplex@pseudonym.com (2183*)

> In my world, "you" == nsb@nsb.fv.com, and hence "your key" == the key I could
> fetch from nsb+faq@nsb.fv.com.

Right, absolutely.  But let's face it, by now you believe it's me
anyway, or the real nsb@nsb.fv.com would have spoken up and argued with
me.  On the other hand,  if I start routinely PGP-signing email, then
the value of slowly brute-force cracking my private key goes way up.  If
FV is successful, for example, you could spend a few years breaking my
key, and then forge apparently-slanderous signed mail from me to you as
part of a lawsuit.  This would be far more believable, in a court of
law, if I routinely signed everything than if I didn't.  

I don't routinely sign things because I think it is asking for problems
with retrospective forgery down the road.  I might, however, consider
routinely signing things once I can easily incorporate a digital
timestamping service like the one from Surety into my signature.

> FWIW, I have lost a great deal of respect for you today

I sincerely hope that you will gain it back when you realize that not
all "hype" is without substance, and that we really have unveiled a
genuine, previously-unrecognized, and extremely important flaw in
commercial mechanims that purport to offer security through the software
encryption of credit card numbers.  -- Nathaniel
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com