Personally, I thought this horse was well drubbed, but the moderator let
this message through, so he must think it important to continue....
James A. Donald wrote:
William Allen Simpson wrote:
> The notary would never sign a hash generated by
> somebody else. Instead, the notary generates its own
> document (from its own tuples), and signs its own
> document, documenting that some other document was
> submitted by some person before some particular time.
And how does it identify this "other document"?
Sorry, obviously I incorrectly assumed that we're talking to somebody
skilled in the art....
Reminding you that several of us have told you that a notary has the
document in her possession; and binds the document to a person; and that
we have rather a lot of experience in identifying documents (even for
simple things like email), such as the PGP digital timestamping service.
Assuming,
Dp := any electronic document submitted by some person, converted to its
canonical form
Cp := a electronic certificate irrefutably identifying the other person
submitting the document
Cn := certificate of the notary
Tn := timestamp of the notary
S() := signature of the notary
S( MD5(Tn || Dp || Cp || Cn) ).
Of course, I'm sure the formula could be improved, and there are
traditionally fields identifying the algorithms used, etc. -- or something
else I've forgotten off the top of my head -- but please argue about the
actual topic of this thread, instead of incessant strawmen.
The notary is only safe from this flaw in MD5 if you
Another statement with no proof. As the original poster admitted, there is
not a practical preimage or second preimage attack on MD5 (yet).
assume he is not using MD5 for its intended purpose.
As to "its intended purpose", rather than making one up, I've always relied
upon the statement of the designer:
... The MD5
algorithm is intended for digital signature applications, where a
large file must be "compressed" in a secure manner before being
encrypted with a private (secret) key under a public-key cryptosystem
such as RSA.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
