e-conveyancing

Nicholas Bohm nbohm at ernest.net
Thu, 29 Mar 2001 14:02:17 +0100 

At 12:33 29/03/2001 +0100, Ben Laurie wrote:
>Nicholas Bohm wrote:
>> The underlying problem is precisely the limited security of private keys
>> once in widespread use for valuable purposes.
>
>Is it? How secure is my signature? I would contend that is substantially
>less secure than even the most crappily protected private key (and,
>indeed, 6k stolen from my bank account shows it is often not even
>checked). So how come it works?

The issue is tackled at some length in 

http://elj.warwick.ac.uk/jilt/00-3/bohm.html

which I immodestly commend.

Pending developments in science unforeseen, you cannot give away, or have
stolen or copied from you, the ability to make a distinctive handwritten
signature.  Security at this point seems to be perfect.

Banks and others who rely on signatures can expend whatever effort they
wish on verifying them.  Since they carry the risk of e.g. cheque forgery
and you as the customer do not, it is up to them to decide how much effort
to expend, depending on the size of the cheque.  This is just as it should be.

Good forgeries are hard to detect by casual inspection, but the detection
rate rises rapidly if document examination techniques are employed instead
of mere visual comparison.  The error rate is a matter of continuing
controversy in the academic field, one problem being that the best forgers
probably have better uses for their talents than submitting themselves to
expert testing.

It does seem possible that a very good forgery might deceive experts into
the conviction that a forger's signature is yours, but forgery that good is
likely to be reserved for high value targets on account of the effort
involved; and it is rarely necessary for the forger to achieve that
standard anyway, since all he needs to do is fool the bank at the point of
payment, and he has no reason to want to go further and fool the bank into
throwing the loss on to you.

Private keys can be stolen in ways we all know about, quite possibly
without their owners' knowledge; and no amount of effort by the verifier
can detect this.  Only the owner can manage the risk, and very many owners
are likely to be unable to protect themselves adequately if private keys
are widely deployed.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop’s Stortford CM22 6SX, UK

Phone	01279 871272	(+44 1279 871272)
Fax	01279 870215	(+44 1279 870215)
Mobile	07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF