digsig - when a MAC or MD is good enough?

John Gilmore gnu at toad.com
Sat Jan 3 03:22:26 EST 2004

> Sarbanes-Oxley Act in the US.  Section 1102 of that act:
>     Whoever corruptly--
>        "(1) alters, destroys, mutilates, or conceals a
>        record, document, or other object, or attempts to
>        do so, with the intent to impair the object's
>        integrity or availability for use in an official
>        proceeding; ...
>     shall be fined under this title or imprisoned not
>     more than 20 years, or both.".

The flaw in this ointment is the "intent" requirement.  Corporate
lawyers regularly advise their client companies to shred all
non-essential records older than, e.g. two years.  The big reason to
do so is to impair their availability in case of future litigation.
But if that intent becomes illegal, then the advice will be to shred
them "to reduce clutter" or "to save storage space".

> Can we surmise that a digital record with an MD attached and
> logged would fall within "object" ?

What's the point of keeping a message digest of a logged item?  If the
log can be altered, then the message digest can be altered to match.
(Imagine a sendmail log file, where each line is the same as now, but
ends with the MD of the line in some gibberish characters...)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list