[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SIGNATURES in both universes



I was thinking about a problem involving two parties signing a file and each
keeping a copy, as they would do with a paper contract, and came up with
something like the following:

Two parties securely exchange public keys, each signed by the other, and
verify correctness through some channel like the phone.

Party A signs a document, and sends it to B.  B adds his signature, so now
the document is cryptographically signed by both, and sends a copy back to
A.  Both parties now have the same file containing signatures from each.

Party A later decides to forge an altered document.  To do this, he must
generate two new key pairs, claiming one as his own and the other as the one B
gave him.  He uses these to sign the altered document, and now claims that B
posesses the forgery and fake keypairs instead, and that the altered document
is the genuine one.  Party A cannot just fake a keypair for B, because then
party A would still be able to verify signatures on BOTH documents, whereas
B would only be able to verify his own copy -- this would prove that A had
a goofed key for B, I think...

In the absence of any third party intervention, it is now only A's word
against B's, since NOTHING about either document copy matches the other.  The
question is, what do we DO about this that would be provable in a
[cryptographically clueful] court?  [I'm making a BIG assumption here.]

In the paper world, A and B sign a document in the presence of a notary, who
also signs the document attesting that A and B genuinely signed it.  This
also implies that the notary can view the contents of the document.  It is
feasible for party A to later forge a changed document containing bogus
signatures of B *and* the notary, given sufficient resources.

In the cryptographic world, a trusted third party can sign a document, and
then A's altered copy would not match.  I also propose that trusted third
party [let's call it a Notary] can also sign A and B's public keys, and retain
copies of same.  [A mental image of a printout of the ascii-armored key block
for both parties, tacked to the Notary's wall, comes to mind...]  Now the two
parties can interact freely using these key pairs, and never need to expose
any actual documents to the Notary.  If a dispute arises, the Notary can be
called in to verify questionable signatures or keys.  The Notary can also
receive and retain encrypted copies of documents, and be unable to do anything
with them except store them away for future reference.

Assuming that the Notary is never compromised by either A or B, and could
retain some kind of provable trail of document dates, would this work??  How
would the compromise of A's key or B's key be handled and still keep any
of the documents valid?  Does the analogy to forged handwritten signatures
and phony dates hold water?

Presumably if either A or B has ONE other signature on either of their public
keys, let's say from C, then C can be called in to check that signature.  From
this one can determine which of A or B is lying, since they signed each
others' keys in the beginning and THOSE have to also match.

This is more a legalistic question than a crypto question, but I'm sure
many of us would like to see the use of crypto for this sort of thing sometime
down the road.  Are there any precedents at all yet?

_H*