Re: to sig or not to sig?

From: Owen Rees (
Date: 10/02/03

Date: Thu, 02 Oct 2003 00:11:34 +0100

On Wed, 01 Oct 2003 22:29:15 GMT, Alan Connor <zzzzzz@xxx.yyy> wrote in

>On Wed, 01 Oct 2003 23:07:15 +0100, Owen Rees <> wrote:
>> What you need is a message signed by your customer acccepting your
>> price. You can then prove that they signed that message.
>That last statement isn't true. I keep hearing that over and over again
>from PGP fans. But I KNOW someone who could beat that system and does so
>for fun on a regular basis. And he isn't even particularly advanced as
>a hacker.

Lets be a bit more precise then. You know that the message was signed by
someone who knows the private key associated with the public key that
you used to verify the message, and the message has not been altered
since it was signed. If the signature has been used in the context of a
business transaction, then the appropriate law will apply, and the
'proof' will be not a mathematical proof, but whatever is required by
the applicable legal system. There is no technical reason why PGP should
not be used in that context, but in practice, the registration and
certification required to convince the relevant judge are not generally
available for PGP/GPG based systems.

>All PGP sigs prove is that a certain group of people (whose trustworthiness
>cannot be established with PGP) trust the bearer of that signature in a
>very limited way.

PGP signatures prove to those who trust the signer that a message is a
message that was signed by that signer. All it tells me is that if I
have a trustworthy copy of the signer's public key, and the signature
verifies, the message is not forged.

This can be a very valuable result, if you know what you are doing.

Owen Rees - opinions expressed here are mine; for a full disclaimer
visit <>
for e-mail use "owen.rees at" instead of the From address

Relevant Pages

  • Re: PGPsigs: the Choice of Con Artists
    ... They can insist whatever they want to insist but if I trust none of them ... You seem to have two problems: one is that you don't like the PGP signature ... signature or break public key encryption. ...
  • Re: Might Be OT: Thanks for your time
    ... > So let's say you and I both use PGP to exchange email. ... > it with my secret key and encrypt it with your public key. ... > So you check the signature with PGP using my public key. ...
  • Re: The whole Process
    ... S/MIME aware application to fool you :-) ... > has an invalid signature. ... > embedded in email and news clients from Microsoft and Netscape for years. ... Recently Spammers illustrated this perception problem by forging PGP ...
  • RE: Best for of signature
    ... I bought the Verisign digital ID, ... like PGP). ... and the digital signature won't modify my document. ... read the encrypted email unless I kept my old ID. ...
  • Re: [Full-Disclosure] a PGP signed mail? Has to be spam!
    ... For example look at this message - it have a PGP signature that my mail ... PGP is NOT secure AT ALL unless we all start trading keys via a secure ... >> get any mails from me anymore. ...