Steve Bellovin <smb(_at_)RESEARCH(_dot_)ATT(_dot_)COM> said:
I'm far from convinced, for example, that the LOVEBUG virus would
have been prevented were all mail digitally signed, because I
strongly suspect that the attack would have invoked a digital
signature API to generate digitally-signed copies of itself.
I would hope that any software I use, that is able to put my digital signature
on some data, would ask me for my pass-phrase every time my private key is
used. I would even hope that such software wouldn't be able to use my private
key without the pass-phrase, otherwise anybody with access to my computer could
easily forge my signature.
If this requirement is not met, the digital signature has no value.
Peace,
Bertrand Ibrahim.
--------------------------------------------
Bertrand(_dot_)Ibrahim(_at_)cui(_dot_)unige(_dot_)ch
http://cui.unige.ch/eao/www/Bertrand.html