[1843] in cryptography@c2.net mail archive
Signature Certificates
daemon@ATHENA.MIT.EDU (Larry Layten)
Fri Nov 14 13:48:12 1997
From: Larry Layten <larry@ljl.com>
To: "'cryptography@c2.net'" <cryptography@c2.net>
Date: Thu, 13 Nov 1997 16:01:57 -0600
It occurred to me (while thinking of email signatures, then
jumping into SSL/TLS) that I have a problem with the way
digital signatures are being used by different systems.
In one case, I am deliberately signing documents, much the
same way that I do in a paper environment. I am making a
conscientious decision to affix my <digital> signature to a
document, and thus it becomes legally binding on me. An
example of this is a signed electronic mail message.
In another case, I am enabling my token so that applications
can use it to authenticate that electronic transactions actually
came from me. In some cases, I am seeing Java applets that
actually access a token to sign a transaction and by enabling
the applet, I am giving them authority to affix my signature
to whatever they may want to affix it to. I am having trouble
even coming up with a paper world equivalency to this action --
other than a power of attorney.
I really don't like the idea of allowing my signature to be used
for anything other than a security product that specifically
allows <me> to sign something. Hence, I really don't want
to give a general purpose communications routine or a Java
enabled browser to be using it without telling me each time
that I am signing something -- which makes it unusable
for authentication purposes. ????
Is this where I need an attribute certificate that identifies
my PC, not me?
Help!!
Larry
