On Mon, 28 Oct 2002 12:35:52 CST, Matt Crawford said: > > > The question of a global PKI is to remove anonymity. You can trace back > > > to a real person (legal person) from the certificate. Who can offer > > > > No. You can trace back to the fact that the signed data was at the same > ^ > a hash of > > place as the private key, at the same time. It most certainly does *not* > > prove that a given person intentionally signed it. > > I've seen people *who operate CAs* lose sight of the fact that it's > the hash that's signed, not the full data. OK, if you want to be pedantic. ;) However, let's remember that although a hash collision is *possible* to generate, you'd need on the order of 50K-100K Pentium-4 class boxes for a *year* to generate *one* hash collision(*). Well within the capacities of distributed.net, but hardly the method of attack I'd choose when there's a plethora of easier ways. If things ever actually get secure enough that the distinction between signing the data and a hash thereof actually matters for a real-world threat model, I'll declare victory and retire. ;) /Valdis (*) That's for just a collision. You want a collision where both hashed items make sense as data, that will cost extra. A *lot* extra...
Attachment:
pgp00140.pgp
Description: PGP signature