SHA3 IANA registration - method?
Andrey Jivsov
openpgp at brainhub.org
Mon Dec 17 08:28:13 CET 2012
On 12/15/2012 01:32 AM, Werner Koch wrote:
> On Fri, 14 Dec 2012 19:32, openpgp at brainhub.org said:
>
>> From this point I can claim repudiation (aka an alibi), stating that
>> the sender has never properly encrypted the message to me that I could
>> have ever read. Here is my key (B) with the same fingerprint that
> The non-repudiation capability of an enryption system is hard to
> implement and to deploy. I am not sure whether OpenPGP may claim to
> support it.
How about this signature repudiation:
At some point I generated two keys with colliding fingerprints. I post
the fingerprint of one key and the key itself on the website. I keep my
second key for tough times ahead.
At some point I sign a document, but get in troubles because of this
signature and want to deny the signature. I quickly update the key file
on the website.
The key file was not cached by the search engines (by luck or my forward
planning). It could be due to my luck because the key was in a directory
that was excluded per my /robots.txt file. Fingerprint, however, was not
(it was in the indexed html folder).
Now my denial of the signature looks convincing: the fingerprint is
correct and is exactly the one that was on my page at the alleged time
of signing, but the signature doesn't verify. I hire 3d party experts to
record the current state of things and will rely on their statement for
the repudiation.
( Of course the accuser forgot to cache my old key. )
More information about the Gnupg-devel
mailing list