Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)

[Nathaniel Borenstein <nsb@nsb.fv.com>]

Excerpts from mail: 29-Jan-96 Re: Signature use and key t..
Futplex@pseudonym.com (2183*)

> In my world, "you" == nsb@nsb.fv.com, and hence "your key" == the key I could
> fetch from nsb+faq@nsb.fv.com.

Right, absolutely.  But let's face it, by now you believe it's me
anyway, or the real nsb@nsb.fv.com would have spoken up and argued with
me.  On the other hand,  if I start routinely PGP-signing email, then
the value of slowly brute-force cracking my private key goes way up.  If
FV is successful, for example, you could spend a few years breaking my
key, and then forge apparently-slanderous signed mail from me to you as
part of a lawsuit.  This would be far more believable, in a court of
law, if I routinely signed everything than if I didn't.  

I don't routinely sign things because I think it is asking for problems
with retrospective forgery down the road.  I might, however, consider
routinely signing things once I can easily incorporate a digital
timestamping service like the one from Surety into my signature.

> FWIW, I have lost a great deal of respect for you today

I sincerely hope that you will gain it back when you realize that not
all "hype" is without substance, and that we really have unveiled a
genuine, previously-unrecognized, and extremely important flaw in
commercial mechanims that purport to offer security through the software
encryption of credit card numbers.  -- Nathaniel
--------
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com