From: “William H. Geiger III” <whgiii@invweb.net>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Message Hash: 66124c631360aab7fd8bb4c4e205ef853af81dd3c7297526d2fb618c3e264d60
Message ID: <199802031440.JAA09009@users.invweb.net>
Reply To: <88650932615058@cs26.cs.auckland.ac.nz>
UTC Datetime: 1998-02-08 04:38:51 UTC
Raw Date: Sun, 8 Feb 1998 12:38:51 +0800
From: "William H. Geiger III" <whgiii@invweb.net>
Date: Sun, 8 Feb 1998 12:38:51 +0800
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Subject: Re: An update on MS private key (in)security issues
In-Reply-To: <88650932615058@cs26.cs.auckland.ac.nz>
Message-ID: <199802031440.JAA09009@users.invweb.net>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
In <88650932615058@cs26.cs.auckland.ac.nz>, on 02/04/98
at 01:35 AM, pgut001@cs.auckland.ac.nz (Peter Gutmann) said:
>The implications of that last point can be quite serious. Take for
>example the Utah digital signature act, which was used as a model by a
>number of other states who implemented or are implementing digital
>signature legislation. Under the Utah act, digitally signed documents are
>given the same evidentiary weight as notarised documents, and someone
>trying to overcome this has to provide "clear and convincing evidence"
>that the document is fraudulent, which is difficult since it bears a
>valid signature from the users key (this fact has been used in the past
>to criticise digital signature laws based on this act). In addition,
>under the Utah act and derived acts, anyone who loses their private key
>bears unlimited liability for the loss (in contrast, consumer liability
>for credit card loss is limited to $50). This leads to the spectre of a
>malicious attacker who has the ability to issue notarised documents in
>your name for which you carry unlimited liability. This is a lot more
>important than someone reformatting your hard drive, or stealing last
>months sales figures.
I have raised concerns in the past over the rush to pass Digital Signature
Laws in various states. These laws have not been well though out nor did
they stand the rigors of peer-review of the crypto community before they
were passed into law. IIRC one of the states considered *encryption* alone
to be a *legal* signature!!!
I will not be using digital signatures for anything other than
authentication of messages. For legal documents I will stick to the old
fashion pen and paper with witnesses and a notary.
Just as a side note: Micro$loth is unfit to secure an outhouse let alone
somthing as important as network and data security (are these fools still
claiming C2 for NT?). I have never seen such overwhelming incompetence and
complete arrogance than what is centered in Redmond (IBM may be arrogant
but at least they are technically competent).
- --
- ---------------------------------------------------------------
William H. Geiger III http://users.invweb.net/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html
- ---------------------------------------------------------------
Tag-O-Matic: Windows? WINDOWS?!? Hahahahahehehehehohohoho...
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNNcZF49Co1n+aLhhAQHZGAP/d5qdnlJYEt6uXh2srSf2ELc4rAle9aX5
p49t7PgGIaCpMY8YIYsFS5+nFoeHwUmlBNrEvUJQoQ2jrEgUp7B7Xv+VZB38qLma
L0oeyICDe7bw6iMjKJ88gsqcHSghPhu7qhSI68e7CffwBWDh3N4Uc5PMQSMzztLZ
GdKH6QmvN7k=
=NV74
-----END PGP SIGNATURE-----
Return to February 1998
Return to ““William H. Geiger III” <whgiii@invweb.net>”