Bogus digital signatures, Re: OT: utility account transfer frauds

[John R T Brazier]

George Ross stated:
> Is it not sufficient that each party generate their own random string,
sign
> the concatenation of that string with the document, and publish the string
> along with the signature.  No-one is then signing anyone else's text, but
> all can verify that everyone signed the same document.

> (It would also be as well to insist on as simple a format as possible for
> the document, so as to reduce the likelihood that different software will
> display it differently, but that's another question...)

I presume that both strings would be appended to the text (so both sides get
to vary it). That will work. Of course, both sides need to be convinced
these strings are random, and haven't been tampered with (and aren't a
method to change the meaning of the text). And we probably need secure
timestamps to ensure we all agree when the document was signed. And we need
to be confident in the implementation of all this (as well as achieving a
standard that is actually used). There are protocols that would work - at
least in theory - but I expect a lot of fun and games in the future!

TTFN

John B