Re: to sig or not to sig?

From: Owen Rees (
Date: 10/02/03

Date: Thu, 02 Oct 2003 00:11:34 +0100

On Wed, 01 Oct 2003 22:29:15 GMT, Alan Connor <zzzzzz@xxx.yyy> wrote in

>On Wed, 01 Oct 2003 23:07:15 +0100, Owen Rees <> wrote:
>> What you need is a message signed by your customer acccepting your
>> price. You can then prove that they signed that message.
>That last statement isn't true. I keep hearing that over and over again
>from PGP fans. But I KNOW someone who could beat that system and does so
>for fun on a regular basis. And he isn't even particularly advanced as
>a hacker.

Lets be a bit more precise then. You know that the message was signed by
someone who knows the private key associated with the public key that
you used to verify the message, and the message has not been altered
since it was signed. If the signature has been used in the context of a
business transaction, then the appropriate law will apply, and the
'proof' will be not a mathematical proof, but whatever is required by
the applicable legal system. There is no technical reason why PGP should
not be used in that context, but in practice, the registration and
certification required to convince the relevant judge are not generally
available for PGP/GPG based systems.

>All PGP sigs prove is that a certain group of people (whose trustworthiness
>cannot be established with PGP) trust the bearer of that signature in a
>very limited way.

PGP signatures prove to those who trust the signer that a message is a
message that was signed by that signer. All it tells me is that if I
have a trustworthy copy of the signer's public key, and the signature
verifies, the message is not forged.

This can be a very valuable result, if you know what you are doing.

Owen Rees - opinions expressed here are mine; for a full disclaimer
visit <>
for e-mail use "owen.rees at" instead of the From address