crypto flaw in secure mail standards
Derek Atkins
warlord at MIT.EDU
Fri Jun 22 17:01:47 EDT 2001
This works fine in a peer-to-peer scenario, but not if you have a
one-to-many transmission. Just because you have a message signed in
the set {Alice,Bob,Charlie,Daniel,Eve,Fred,Greg}, there is no way to
know which of them sent it. All members of the set must be mutually
trusted, which means there is no way to sign a document that a set of
people can verify comes EXACTLY from you.
-derek
dmolnar <dmolnar at hcs.harvard.edu> writes:
> So Alice signs document D as being from the set {Alice, Bob} and sends it
> to Bob. Now Bob knows he didn't write D, so he believes it's from Alice.
> If he passes D along to Charlene, she can't determine whether Alice
> wrote D or Bob came up with it himself.
>
> In fact, IIRC, the paper suggests the sorts of scenarios discussed in this
> thread explicitly as the motivation for this use of ring signatures. The
> paper then goes on to argue for the practicality of implementing ring sigs
> in mail clients.
>
> -David
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list