digsig - when a MAC or MD is good enough?
Ian Grigg
iang at systemics.com
Thu Jan 1 21:03:34 EST 2004
One view of digital signatures is that MACs and MDs may be
sufficient when:
1. the evidence is logged or otherwise kept by several
parties, and
2. there exists sufficient legal clout to discourage
tampering.
An example of 2. above would be the relatively new
Sarbanes-Oxley Act in the US. Section 1102 of that act
adjusts the US Code to add this little gem:
Whoever corruptly--
"(1) alters, destroys, mutilates, or conceals a
record, document, or other object, or attempts to
do so, with the intent to impair the object's
integrity or availability for use in an official
proceeding; or
"(2) otherwise obstructs, influences, or impedes
any official proceeding, or attempts to do so,
shall be fined under this title or imprisoned not
more than 20 years, or both.".
http://www.law.uc.edu/CCL/SOact/sec1102.html
Can we surmise that a digital record with an MD attached and
logged would fall within "object" ?
Having a full scale public key based signature implementation
would always be "better" in pure terms of systems closure, but
if a PKI costs too much, and a company was covered as above,
using cheaper solutions might work out.
Comments?
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list