OpenPGP Signatures (was Re: How to get your first key signed)
Robert J. Hansen
rjh at sixdemonbag.org
Mon Oct 5 01:43:48 CEST 2015
> If that was what he meant to say, he didn't say it.
Peter's right, and you're moving the goalposts. Please stop.
> So, I'll make my question more general. Is anyone aware of a case in
> which the validity or enforceability of an OpenPGP signature has been
> argued?
To repeat my answer: yes. Because it's a digital signature and courts
have repeatedly found them enforceable. Courts have *not* found them
non-repudiable, though: you repudiate a digital signature in more or
less the exact same way you repudiate a real one. You say "that wasn't
me, Your Honor" and you show the judge why he or she should believe it
wasn't you.
Werner and I (and maybe others) have seen PGP-signed spam. Someone was
using Symantec's signing proxy, had it configured to sign all outgoing
mail, had no passphrase on the certificate, and then got hit by a botnet
that used their PC to send out Viagra spam. Did it have a valid
signature? Yes. Was the signature repudiable? Yes. "Your Honor,
forensic analysis shows my PC was compromised by malware. I didn't
authorize those spams to be sent out and I didn't authorize their
signature."
Non-repudiability is a big myth when it comes to OpenPGP. In this era
where, per Vint Cerf, one in five desktop PCs is pwn3ed, repudiability
is cheap and easy. "Malware, Your Honor..."
More information about the Gnupg-users
mailing list