John Dlugosz writes:
I just noticed this in a book I'm reading. Section 4.3 in "Applied
Cryptography, 2nd ed." by Bruce Schneier is on this exact subject.
Actually 4.3 is on Chaum's undeniable signatures, which are not quite the
same as what we are talking about. An undeniable signature requires the
aid of the signer to verify the signature. If Alice sends an undeniable
signature to Bob, he has to then run a protocol with Alice in order to
determine if the signature is good or not. We would not want that with
PGP, as we don't assume a bidirectional channel exists between signer
Somewhat closer is section 4.4, the designated confirmer signature, also
by Chaum. I seem to recall that this is what he presented to us at the
meeting in the PGP offices several years ago. But I don't see that this
achieves the goal either. It is basically like an undeniable signature,
where a third party is able to replace the signer as the verifier.
So Alice could sign a message and send it to Bob, and he could only
verify it with Carol's assistance.
Maybe the idea was to use the designated confirmer signature, but to
make the designated confirmer in this case be Bob himself? Then he
could verify the signature all by himself, but no one else could verify
it without his help. Hmmm, that doesn't seem quite right, because Alice
really doesn't want Bob to be able to verifiably show her signature to
a third party, and this use of the designated confirmer signature seems
to allow that. So I'm not sure any more exactly what his idea was.
Anyway, both undeniable and designated confirmer signatures are patented
by Chaum, so they would probably not be suitable for use in a protocol