-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Sunday 4 May 2014 at 9:30:23 AM, in <mid:5365fa9f.60...@sixdemonbag.org>, Robert J. Hansen wrote: > The autopen is a machine that replicates a physical > signature. Sounds like an updated version of the rubber-stamp signatures that used to be on some company cheques and other documents. > That's pretty much a perfect analogue to > what we're talking about here: should it be possible > for a third party to recreate your digital signature? > Should it be possible for a third party to recreate > your *physical* signature? In either case, if it can be shown that a third party has at least once done so, then everything bearing my signature is now questionable. However much somebody may trust me, they can no longer assume a particular instance of my signature was put there by me rather than the third party. (Unless the signature was witnessed by trusted individuals whose signatures have not been compromised.) > That one has been > conclusively answered 'depending on the circunstances, > yes!' time and time again. Consider the President as > an example: he may wish to sign a piece of legislation > but he's unfortunately unavailable for signatures. > Instead, he contacts a trusted secretary and orders the > secretary to autopen his signature on a document -- > said signature, since it is made on his behalf (even if > it's physically made by a machine operated by a third > person), being just as legally binding as if he himself > had written his signature. So why not just follow the standard practice of the trusted secretary signing the document himself and annotating it was signed for and on behalf of his boss? If the "autopen" signature looks just like the real deal then, unless the document is annotated to indicate it is machine-generated by <name>, you have described something that sounds to me like an act of deception. > Are there good business reasons for third party escrow > of signing keys? Quite probably. I can see none. > If you can think of > a situation where an autopen is appropriate, whether in > business or in government, that's also a situation > where third-party escrow of signing keys would also > likely be appropriate. I cannot think of a situation where it would be appropriate to have a machine fake somebody's signature, rather than have somebody else sign on their behalf. - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net Learning without thought is naught; thought without learning is dangerous. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlNmLIlXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFlkEAKiB7jcHFJmKrcbIm6TdGb0cXNBsvLoIZNCc cry3q159h1sdsXgcZsZEHZU94BSSrrQC04P9fDtejdReCk6f/D4+O4MZ6NegwqXZ eySSHCOTnGbtETNzXQ92dsYdWnA48P4BK5vjpfG9c2u2ShTJzot1+tezIc4chjc+ hb7dSxqp =JMPU -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
