Bob,
You raise many, many interesting issues, most of which will take time to
evolve. One detail caught my eye:
At 2:13 AM 2/11/95, Jueneman(_at_)gte(_dot_)com wrote:
What happens if Mr. Z somehow obtains a copy of that signed transaction, and
submits it to the originator's bank as often as he pleases. My books are still
packed after yet another office move, but unless my memory fails me, THERE IS
NOTHING PROVIDED IN PEM THAT WOULD PROVIDE EITHER A DATE/TIME
STAMP OR A TRANSACTION NUMBER TO SUCH A TRANSACTION.
Anyone who has a compliant PEM implementation available can quickly verify this
assertion -- just sign a given piece of text two times in a row, and see if the
results are identical. If they are, then the originator has no effective
defense against a replay attack.
It's been well understood within the PEM community that there is no
mechanism defined within the PEM protocol to distinguish two separate
signings of the same content. I believe it is also agreed that this is not
an inherent problem. It simply means that feature has not been included in
the PEM protocol and if there is a need for this service, it belongs in the
next layer up.
In the CyberCash payment protocols under development, we obviously have
exactly the requirement you suggest, and for that reason we do, in fact,
include a transaction identifier, and we do require that the recipient
check for duplicates and treat duplicates as retransmissions as oppposed to
new events. This makes sense in the restricted context of a payment
protocol. However, in the more general arena of protected mail for all
purposes, it is not so obvious that the cost and difficulty of implementing
this feature is worth it.
Steve
--------------------
Steve Crocker
CyberCash, Inc., Suite 430 Work: +1 703 620 4200
2100 Reston Parkway Fax: +1 703 620 4215
Reston, VA 22091
crocker(_at_)cybercash(_dot_)com