Management of signature keys for government

Brian Gladman gladman at seven77.demon.co.uk
Mon, 2 Mar 1998 16:33:48 -0000 

-----Original Message-----
From: Nicholas Bohm <nbohm@ernest.net>
To: ukcrypto@maillist.ox.ac.uk <ukcrypto@maillist.ox.ac.uk>
Date: 02 March 1998 16:56
Subject: Re: Management of signature keys for government


>At 14:19 2/03/98 -0000, Brian Gladman wrote:
>[snip]
>>One issue in the self generation of keys is how to prevent a user
>>repudiating their own key by revealing its private component.  One
advantage
>>(in principle) of 'on-card' signature key generation is that no-one - not
>>even the owner - knows the value of the secret component of the key since
>>this only ever exists on the card.   Of course the user can 'lose' the
card
>>but this is not quite the same as publishing the secret key component.
>>
>>There are a number of ways in which a user could be prevented (or at least
>>deterred) from revealing their own key but it is not clear (to me at
least)
>>whether any of these are practical in the real world.
>
>I doubt whether there are practical technical means of preventing
>repudiation (although I too would like to learn more).  You can always lose
>your card, and unless it could only be used with biometrical identifiers,
>your PIN could have been snooped (as in the fake ATM case).

The situaton I was thinking about is one in which a user not wishing to
enter a contact, but wanting to appear to do so, publishes their secret key
component just before using it to sign the contract.  Afterwards they then
claim that their key became public knowledge before they signed and hence
try to invalidate their signature.  The advantage of generating and storing
the secret key component on the card (and preventing its export) is that
this prevents the key value being published in this way.
If this is correct it is possible to prevent some forms of repudiation.

>Legally, of course, you can be made responsible for all card use prior to
>formal revocation.  But once you have to revoke a card (or key) accepted by
>numerous unconnected traders, there are practical problems of achieving
>comprehensive worldwide revocation.

Interesting point - this probably means that having the private key
component generated on (and protected from export from) the card is a
defence mechanism for users. If there is only ever one signature key, which
cannot be replicated, then the scope for misuse is limited to stealing the
card etc.  If the key exists off the card the possibility exists for its
replication and this means that the resulting damage could be a great deal
more extensive.  This makes me even more convinced that I want 'on-card'
signature key generation!

    Brian