Personally, I thought this horse was well drubbed, but the moderator let this message through, so he must think it important to continue....
James A. Donald wrote:
William Allen Simpson wrote: > The notary would never sign a hash generated by > somebody else. Instead, the notary generates its own > document (from its own tuples), and signs its own > document, documenting that some other document was > submitted by some person before some particular time. And how does it identify this "other document"?
Sorry, obviously I incorrectly assumed that we're talking to somebody skilled in the art.... Reminding you that several of us have told you that a notary has the document in her possession; and binds the document to a person; and that we have rather a lot of experience in identifying documents (even for simple things like email), such as the PGP digital timestamping service. Assuming, Dp := any electronic document submitted by some person, converted to its canonical form Cp := a electronic certificate irrefutably identifying the other person submitting the document Cn := certificate of the notary Tn := timestamp of the notary S() := signature of the notary S( MD5(Tn || Dp || Cp || Cn) ). Of course, I'm sure the formula could be improved, and there are traditionally fields identifying the algorithms used, etc. -- or something else I've forgotten off the top of my head -- but please argue about the actual topic of this thread, instead of incessant strawmen.
The notary is only safe from this flaw in MD5 if you
Another statement with no proof. As the original poster admitted, there is not a practical preimage or second preimage attack on MD5 (yet).
assume he is not using MD5 for its intended purpose.
As to "its intended purpose", rather than making one up, I've always relied upon the statement of the designer: ... The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]