Managing Subkeys for Professional and Personal UIDs

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Sun May 4 14:03:00 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 4 May 2014 at 9:30:23 AM, in
<mid:5365FA9F.60702 at sixdemonbag.org>, Robert J. Hansen wrote:


> The autopen is a machine that replicates a physical
> signature.

Sounds like an updated version of the rubber-stamp signatures that
used to be on some company cheques and other documents.



>  That's pretty much a perfect analogue to
> what we're talking about here: should it be possible
> for a third party to recreate your digital signature?
> Should it be possible for a third party to recreate
> your *physical* signature?

In either case, if it can be shown that a third party has at least
once done so, then everything bearing my signature is now
questionable. However much somebody may trust me, they can no longer
assume a particular instance of my signature was put there by me
rather than the third party. (Unless the signature was witnessed by
trusted individuals whose signatures have not been compromised.)



> That one has been
> conclusively answered 'depending on the circunstances,
> yes!' time and time again.  Consider the President as
> an example: he may wish to sign a piece of legislation
> but he's unfortunately unavailable for signatures.
> Instead, he contacts a trusted secretary and orders the
> secretary to autopen his signature on a document --
> said signature, since it is made on his behalf (even if
> it's physically made by a machine operated by a third
> person), being just as legally binding as if he himself
> had written his signature.

So why not just follow the standard practice of the trusted secretary
signing the document himself and annotating it was signed for and on
behalf of his boss?

If the "autopen" signature looks just like the real deal then, unless
the document is annotated to indicate it is machine-generated by
<name>, you have described something that sounds to me like an act of
deception.



> Are there good business reasons for third party escrow
> of signing keys?  Quite probably.

I can see none.



> If you can think of
> a situation where an autopen is appropriate, whether in
> business or in government, that's also a situation
> where third-party escrow of signing keys would also
> likely be appropriate.

I cannot think of a situation where it would be appropriate to have a
machine fake somebody's signature, rather than have somebody else sign
on their behalf.


- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at riseup.net

Learning without thought is naught;
 thought without learning is dangerous.
-----BEGIN PGP SIGNATURE-----

iPQEAQEKAF4FAlNmLIlXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0
N0VDQTAzAAoJEKipC46tDG5pFlkEAKiB7jcHFJmKrcbIm6TdGb0cXNBsvLoIZNCc
cry3q159h1sdsXgcZsZEHZU94BSSrrQC04P9fDtejdReCk6f/D4+O4MZ6NegwqXZ
eySSHCOTnGbtETNzXQ92dsYdWnA48P4BK5vjpfG9c2u2ShTJzot1+tezIc4chjc+
hb7dSxqp
=JMPU
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list