|
Posted by Unruh on December 31, 2007, 4:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>Hello!
>>You wrote on Mon, 31 Dec 2007 04:22:28 -0500:
>>
>> A> I see what your saying but the most important process is the
>> A> authentication of the *identity* of the signer. If there is no ID that
>> A> is verified, then the rest doesn't matter. I can use your Adobe on your
>> A> computer to sign in your name as long as I can get to your software.
>>
>>That's a totally different story. Digital signatures don't prove the
>>identity of the user, they prove the set of "what the person has" and "what
>>the person knows". With digital means you can't reliably prove "what the
>>person is", i.e. whether the signature or fingerprint - once they are placed
>>into the document, they can be duplicated.
>>
>>Example: you can copy the signature (or fingerprint) from the document I
>>signed, then come to my computer and use it to create another document.
>>Afaik there's no reliable solution for this problem.
Well, no. Digital signatures of a document usually combine something which
uniquely identifies the document with something you have.
Thus take the AES sum of the document, and then encrypt that with your
private key. Anyone can then use your public key to unencrypt it and check
whether the AES signature agrees with their generated signature of the
document. Noone else can do that. They can take the AES sum of the
ducument, but cannot encrypt it with your private key.
Ie, you CANNOT use the signature from document 1 to sign document 2. The
AES hashes will not agree.
> You're forgetting that a good digital signature is a
> transformation of a secure hash of the original. Take this
> signature and see if it works with any other document:
Agreed. Just amplifying.
| 
XML site map