PaulDotCom mailing list archives
Technical challenge, or am I missing something...
From: softreset64738 at gmail.com (Soft Reset)
Date: Tue, 13 Oct 2009 11:37:27 -0700
Ok, something to (hopefully) challenge you with: I often send email digitally signed so that receivers can not modify the message and claim I wrote it (the modified version). However, if I do that, what is stopping the receiver from claiming "they never got it" and I'm falsifying the email in the first place? If I include the date in the signed message, they can still claim I put *any* date I wanted in there. For clarity, consider this scenario: Dan writes and signs the following message and sends it to Tracy on Jan 1, 2009: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Tracy, today is January 1, 2009 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoOqzMACgkQ3GktKdDXU7up4QCglGa6gjD8MX3Gytushc65cVkA IJkAniZ3hQ1WyC0SbecPJRKY9xeSsHTA =KqXV -----END PGP SIGNATURE----- Dan then tells the boss, "I sent the email to Tracy." Tracy claims, "I never got any such email. He probably just made the email, faked the date and then signed it to make it look legit. He's lying!" ==================== Assuming the mail server administrators have no sense of logging or auditing, what can Dan do to provide "proof" of sending? Thanks again everyone! --SR6 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091013/f6c68492/attachment.htm
Current thread:
- Technical challenge, or am I missing something... Soft Reset (Oct 13)
- Technical challenge, or am I missing something... Chris Merkel (Oct 13)
- Technical challenge, or am I missing something... d4ncingd4n at gmail.com (Oct 13)
- Technical challenge, or am I missing something... Vincent Lape (Oct 13)
- Technical challenge, or am I missing something... John Strand (Oct 13)