Yo! Bill:
Saturday August 17 1996 21:09, Bill Funk wrote to Bill Cheek:
 BC>> Aside from Policy4 which may or may not hold water for digital sigs,
 BC>> what is your personal reason for being adamantly against it?  If it
 BC>> validates a message as coming from one and only one identifiable
 BC>> person, is that not in keeping with the highest traditions of
 BC>> networking?
 BF>  Hmmm...
 BF>  If a certain sequence of characters is used to verify authorship in a
 BF> public forum such as FIDO.SCANRADIO, that sequence would only be good 
or
 BF> such a purpose one time. After that first use, anyone could use it to 
fake
 BF> authorship. Therefore, such a sequence of characters would need to be
 BF> changed each time it's used. The change would require that someone knew
 BF> about the change beforehand. If everybody knew what the change was, it
 BF> wouldn't verify authorship, as anybody could use the changed sequence to
 BF> fake authorship. So, the changes could only be known to a few (say, the
 BF> moderators). In that case, the sequence becomes a coded message, and
 BF> illegal. So, such PGP signatures are either:
 BF>         A: Signature files with no meaning as part of the message, and
 BF>            therefore subject to signature rules; OR
 BF>         B: Coded messages, and illegal.
A digital signature contains not only so many unique bits to identify the 
signer, but also a sequence of bytes that "fingerprint" the message itself. 
I'm sure a CRC sum is one byte, but there would be other parameters, too, 
like number of lines, number of words, date & time, number of characters, 
number of 1-char words, number of 2-char words, etc, etc.  Neither the user 
nor the reader can know which is which, and the sig would be different each 
time. 
Slightly.  And the chances of one sig validating another message would be on 
the order of one in billions.
There is another potential solution to this issue.  For years, Fido has had 
fairly ironclad security from the SysOp/BBS level on up in the hierarchy.  
The gaping holes which would be filled by digital signatures from the users 
could have other options.....instead.  Fer instance, the SysOp could be 
required to authenticate and verify each USER on his system.
This would cause thousands of SysOps to bail out, though.  Sometimes we are 
faced with choices of two or more evils.  I don't think we're THERE yet, but 
I see the day coming......
Bill Cheek | Internet: bcheek@cts.com | Compu$erve: 74107,1176
Windows 95 Juggernaut Team | Microsoft MVP
--- Hertzian Mail+
---------------