[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Cyherpunks Named Official Signing Authority"



At 3:05 PM 12/01/94, Eric Hughes wrote:
>WARNING: The following paragraph does not have direct relevance to the
>issue at hand.  It discusses servers which might verify signatures,
>which my current proposal does not have in it.
>
>What I have realized in the interim is, that if a server is to verify
>a signature, the server should sign not the message but rather the
>signature.  After all, the signature is what was being verified, not
>any property of the message.  The user can still detect message
>alteration, by first verifying the sig-on-sig, and then comparing the
>hash value in the original sig to a hash on the message.

I echo Eric's warning, that I also don't mean this to have anything to do
with the current thread.

The benefit of having the list sign the entire message, is that even if
people _don't_ sign the message themselves (assuming they aren't being
requried to ;)  ), there's still something left to sign. The list would be
signing to indicate that, yes, this message did pass through
[email protected].  Regardless of whether the author signed the message
himself or not, completely different issue.