<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Erik, thanks for your message.
Signature is for authenticating the origin, it's one part of the
protocol, the other part ensures that it hasn't been duplicated.
Please take the time to read the specs, it's all explained there.
I already took the time to synthesize it the initial post, I copy
paste it here for convenience, but the big picture is in the specs
:<br>
<br>
"There are three main layers of verifications, first one is
geolocation (non mandatory, anonymous and optionally encrypted) in
order to detect duplicate UUID in circulation (distance and time
would become inconsistent, so the packaging identified as
corrupted), second layer is the display of information about the
packaging provided by the manufacturer (e.g. hologram check
information, high resolution of the packaging when manufactured
with unique details such as random paint splashes, etc.) and third
layer is an optional cryptographic check if the package comes with
a microchip (recommended for packagings carrying high value
assets) which retrieves the public key of the microchip on the
blockchain and asks it to sign random data with the private key
present in the chip."<br>
<br>
Thank you,<br>
<br>
Camille.<br>
<br>
<br>
Le 16/07/2017 à 17:10, erik a écrit :<br>
</div>
<blockquote
cite="mid:42a23a18-bc92-23ab-0f2d-93ba31e36a95@erikgranger.name"
type="cite">
<pre wrap="">Let's say that I have a golden eagle that has it's UUID registered on
the blockchain.
I can just copy the actual information and pretend that it is the original.
I'm going to sign this email. That doesn't prevent anyone from making a
copy of this text that also can be verified, they cannot change any of
the words, but the signature would still check out.
That's fine for e-mails because we're only interested usually in
ensuring that the actual words are words that I did, in fact, put out
there and that they are unmodified.
When it comes to gold, we not only need to ensure that the signatures
check out, but that they are not a copy as well.
How does your software verify what's in the actual package? Does it
somehow manage to do a signature of real-life objects?
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
The cryptography mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a>
<a class="moz-txt-link-freetext" href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a></pre>
</blockquote>
<p><br>
</p>
</body>
</html>