Management of signature keys for government
Nicholas Bohm
nbohm at ernest.net
Wed, 04 Mar 1998 09:13:28 +0000
At 14:59 4/03/98 +1100, Roger Fleming wrote:
>
>Brian Gladman wrote:
>
>[...]
>>One issue in the self generation of keys is how to prevent a user
>>repudiating their own key by revealing its private component.
>[...]
>>There are a number of ways in which a user could be prevented (or
>>at least
>>deterred) from revealing their own key but it is not clear (to me
>>at least)
>>whether any of these are practical in the real world.
>
>In view of the recent discussion about what type of signatures are
>acceptable in the real world, I wonder if this isn't too stringent a
>requirement for the system. After all, today you cannot repudiate a
>paper-signed contract by claiming that you signed a quantity of
>blank pages and left them lying about. It is _your_ responsibility
>to protect your signature. Essentially, if the user has some means
>of revoking the key pair even after losing it, and their genuinely is
>no practical way for a third party to steal his private keys, I don't
>see the problem with just regarding all pre-revocation signatures
>as binding.
This emphasises the usefulness of a secure time-stamping service as a way
of providing evidence of the times of signature of the contract and the
delivery of the revocation (although such a service is not the only way of
proving these things).
Regards,
Nicholas Bohm
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Fax 01279 870215 (+44 1279 870215)
Mobile 0860 636749 (+44 860 636749)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF