crypto flaw in secure mail standards
ponder at freenet.tlh.fl.us
Sun Jun 24 16:06:11 EDT 2001
The laws I have seen are not specific enough to deal with what gets
included in a digitally signed message. These laws define 'digital
signature' and in some cases invoke so-called trusted third parties to
issues certs, etc., but I haven't seen a law yet with the level of
detail that would require date/time, subject, to, from, etc., in a mail
message. Most of the laws define something as being digitally signed in
general terms of public key crypto, as for example the Florida (US) law:
| (3) "Digital signature" means a type of electronic signature that
| transforms a message using an asymmetric cryptosystem such that a person
| having the initial message and the signer's public key can accurately
| (a) Whether the transformation was created using the private key that
| corresponds to the signer's public key.
| (b) Whether the initial message has been altered since the
| transformation was made.
(from section 668.003, Florida Statutes)
As others have pointed out, 'non-repudiation' is not a legal concept.
As a practical matter, if one were potentially damaged by an attack of
this type, one could argue that such a message could be resent, absent the
original context. This could be demonstrated, experts could testify, etc.
It appears to be a problem in the protocols, but I don't see it as being a
legal problem, esp. in light of the fact that there is no such thing as
'non-repudiation' in the real world.
Seems like another good reason to use a time-stamper like the one at:
On Sun, 24 Jun 2001, Enzo Michelangeli wrote:
> A question for legal experts on the list: Does all this pose legal risks
> within the current legal framework? In other word, do current digital
> signature laws assume that also the headers are assumed to be authenticated
> and non-repudiable if the message is digitally signed?
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography