On Mon, 28 Oct 2002 12:35:52 CST, Matt Crawford said:
The question of a global PKI is to remove anonymity. You can trace back
to a real person (legal person) from the certificate. Who can offer
No. You can trace back to the fact that the signed data was at the same
^
a hash of
place as the private key, at the same time. It most certainly does *not*
prove that a given person intentionally signed it.
I've seen people *who operate CAs* lose sight of the fact that it's
the hash that's signed, not the full data.
OK, if you want to be pedantic. ;)
However, let's remember that although a hash collision is *possible* to
generate, you'd need on the order of 50K-100K Pentium-4 class boxes for
a *year* to generate *one* hash collision(*). Well within the capacities of
distributed.net, but hardly the method of attack I'd choose when there's
a plethora of easier ways.
If things ever actually get secure enough that the distinction between
signing the data and a hash thereof actually matters for a real-world
threat model, I'll declare victory and retire. ;)
/Valdis
(*) That's for just a collision. You want a collision where both hashed items
make sense as data, that will cost extra. A *lot* extra...
pgpNeltPZmD2u.pgp
Description: PGP signature