[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Subject signing redux (was: Re: Mary is Mary)



On Tue, 24 Jun 1997, Marc Branchaud wrote:

-> -----BEGIN PGP SIGNED MESSAGE-----
-> 
-> On Tue, 24 Jun 1997, E. Gerck wrote:
-> > 
-> > -> > >1. Pls include a MUST co-sign clause.
-> > -> > 
-> > -> > I would like to hear list discussion on this one point.
-> > -> > 
-> > -> 
-> > -> For another, it bugs me from a freedom-of-speech point of view.  Libel
-> > -> laws aside, if I want to label someone (or their key) as a purple people
-> > -> eater I shouldn't need their permission.  Whether other people believe my
-> > -> assertion is another story, and they should also be free to make that
-> > -> decision without the subject's expressed consent.
-> > -> 
-> > 
-> > The argument can equally be reversed to the other side. Further, if Jon
-> > says that Mary has auth X and auth X is to be the company's lawyer -- but
-> > Mary is not a lawyer -- she may never be able to prove she did not agree
-> > with auth X.
-> > 
-> 
-> That's true, but will it ever be an issue?  If Mary isn't misrepresenting
-> herself then how could this be a problem?  Could you describe a scenario
-> in which Mary gets in trouble because Jon, without any help from Mary, 
-> thinks she's a lawyer?

Sure, the ABA may sue Mary because she is an authorized company lawyer --
afterall, she has trusted Jon to sign auths for employees --  without
being a lawyer. Further, a client may sue her because he sent her an
urgent patent application that was left waiting and being shuffled around
long enough for the competitor's patent to be presented first - because
she isn't a lawyer and did not know such things are urgent. 

Take an example from a public notary. Can I go to a notary and
provide you with a legal authorization without your signature?

-> 
-> > -> Perhaps that's what it comes down to.  If the subject is presenting the
-> > -> cert anyway, isn't that an implied acceptance of its tag? 
-> > 
-> > Sure, such as by Jon saying that Mary has auth X. It does not good
-> > to Mary that Jon implied acceptance of his own signature. 
-> > 
-> 
-> I don't understand your statements.  Do you agree with the idea of implied
-> acceptance or not?  It's not Jon implying anything, it's Mary (the
-> subject) implying acceptance of the certificate she's presenting.
-> 
-> > Also, who else besides Jon can present Jon's cert that says Mary is a
-> > lawyer?
-> 
-> Actually, Jon can't present that cert because Mary's key is the subject,
-> so only Mary can present it.  By presenting it, remember, there's the
-> usual challenge-response going on.  Jon can't pretend to be Mary because
-> he doesn't have her private key. 
-> 
-> So if only Mary can present the cert, then why would she ever present it
-> if she doesn't agree with its contents?
-> 

No, that was my (implict) point ;-) Take an attacker that is able to
present Mary's cert and do a denial-of-service (easy, he doesn't have the
key anyway...)

Cheers,

Ed Gerck
______________________________________________________________________
Dr.rer.nat. E. Gerck                        egerck@laser.cps.softex.br
http://novaware.cps.softex.br
P.O.Box 1201, CEP13001-970, Campinas-SP, Brazil  - Fax: +55-19-2429533  


Follow-Ups: References: