Tracy R Reed wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
DJA wrote:
Every time I hear about computer security using digital signatures, I
remind myself that, some biometrics aside, the only thing a digital
signature can guarantee is that a specific _computer_ was the source of
the signature, not a specific _person_.
Signatures generally require something you have (the key) and something
you know (the password). They can both be stolen but that is generally
more difficult than forging someones signature. So when you think about
written signatures just remind yourself that the written signature
proves nothing at all.
- --
Tracy R Reed
I think that makes my point. You're merely comparing digital signatures
with something else that also depends completely on trust. To say that
one insecure mechanism is similar to another doesn't help either case.
I see traditional signatures as being closer to biometric than are
digital signatures. A living human created the written signature. While
often easy to duplicate, it's difficult to do reliably and consistently.
And a well-defined science has developed to detect forgeries - not fool
proof, but by and large very effective nevertheless. But most
importantly, a signature is a direct connection to the person creating
it - forgery or not. You can't steal a signature. You might be able to
duplicate it. Even if you do, it's virtually impossible to pass that
signature onto someone else who is not also an accomplished forger.
A digital signature is connected only to a machine. Not the operator of
the machine. There are exceptions, but for the most part those exist in
very secure environments which also employ other safeguards. For the
most important transactions requiring a signature, the person signing
usually has to do it in person. A major difference, is that once a
digital signature is compromised, (whether pass phrase or key is
irrelevant) it can be easily duplicated and passed to anyone.
That a written signature may be forged is irrelevant. I was only
pointing out that a digital signature validates only a machine, not a
person. You have no physical evidence, for instance, as to who wrote
this email. Even if it was sent using PGP security is not sufficient. It
only tells me that the _someone_ using the computer at the moment has a
proper key/pass phrase.
This is a computer to computer communication. That can be proven. Our
belief that we are corresponding with who we think we are is based on trust.
--
Best Regards,
~DJA.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
