long-term GPG signing key

Anne & Lynn Wheeler lynn at garlic.com
Sat Jan 14 17:17:05 EST 2006

Guus Sliepen wrote:
> It depends on how it is used. For example, when I sent this email, I
> typed in the passphrase of my PGP key, authorising GnuPG to create a
> signature for this email. This comes very close to "human signing". I
> read, understood, approve etc. with the contents of this email.
> If assymetric cryptography is used to automatically sign a credit card
> transaction without the user having to do more than click a button, then
> I agree that in that situation, the digital signature is not the same as
> a human signature.

but as in some of the PKI forays into non-repudiation and human
signatures ... there was no way for a relying party to determine the
difference ... and in the previous thread of digital signature dual-use
vulnerability, this can open up fraud.

at one point, some were assuming if there was a digital certificate with
the non-repudiation flag set, then the digital signature indicated human
signature (read, understood, agrees, approves, and/or authorizes).
however, nothing in various PKI protocols providing for proving which
digital certificate was actually appended to a particular digital
signature (appending a non-repudiation digital certificate might imply
the creation of some obligation associated with a digital signature used
as a human signature; however there was no protocol provisions for
establishing which form of digital signature was actually intended
and/or which digital certificate was actually appended to any particular

the dual-use vulnerability has an environment where servers nominally
transmit random data for signing (one of the possible countermeasures
for replay attack) and the person generates a digital signature on the
random data w/o having looked at the data (assuming purely
authentication operation). the other party has actually substituted some
sort of valid text in place of the valid data and then asserts that the
person has performed the digital signature implying a human signature
(read, understood, agrees, approves, and/or authorizes) as opposed to
implying pure authentication operation.

the crook may attempt to further substantiate the fraudulent claim by
producing a digital certificate (for the corresponding public key) with
the non-repudiation bit set (and PKI protocols lack provisions for
differentiating which, of possible several, digital certificates might
actually have been attached).

the possible dual-use for digital signatures then may lead to enormous
ambiguity since the basic technology only provides for authentication
... and that w/o significant additional business processes it is
difficult to differentiate digital signatures used for purely
authentication purposes and the grossly embellished purposes associated
with human signatures.

any embellishing of digital signatures for human signature purposes, in
turn creates significant additional risk than straight-forward

a basic issue isn't what you intended when you caused a digital
signature to be created ... but what can any relying-party reasonably
expect that you intended ... and what can the relying-party reasonably
rely on.

then if there is any possible ambiguity as to what you may have intended
when a digital signature was created, can an attacker use the existence
of such ambiguity to perpetrate fraud (aka dual-use vulnerability).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list