Technical challenge, or am I missing something...

[strandjs at gmail.com (John Strand)]

Check out confoo.

If the email is HTML you can create collisions in the MD5 version of gpg for
signatures.

http://www.doxpara.com/research/md5/*confoo*.*pl*

On Tue, Oct 13, 2009 at 7:42 PM, Vincent Lape <vlape at me.com> wrote:

> For electronic sigs i use USPS EPM (US Post Office Electronic
> Postmark). Its pretty easy to configure and is not all that expensive.
> You do have to pay per sig (kinda like buying a stamp) however you can
> see a history of the "signatures" purchased. You can get over the
> whole "he faked the date" thing because the signature includes date
> and time the signature was applied.
>
> take a peek at http://www.usps.com/electronicpostmark/welcome.htm and
> http://office.microsoft.com/en-us/help/HA010971711033.aspx
>
> Hope this helps
> On Oct 13, 2009, at 11:37 AM, Soft Reset wrote:
>
> > Ok, something to (hopefully) challenge you with:
> >
> > I often send email digitally signed so that receivers can not modify
> > the message and claim I wrote it (the modified version).  However,
> > if I do that, what is stopping the receiver from claiming "they
> > never got it" and I'm falsifying the email in the first place?  If I
> > include the date in the signed message, they can still claim I put
> > *any* date I wanted in there.
> >
> > For clarity, consider this scenario:
> >
> > Dan writes and signs the following message and sends it to Tracy on
> > Jan 1, 2009:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Hello Tracy, today is January 1, 2009
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (GNU/Linux)
> >
> > iEYEARECAAYFAkoOqzMACgkQ3GktKdDXU7up4QCglGa6gjD8MX3Gytushc65cVkA
> > IJkAniZ3hQ1WyC0SbecPJRKY9xeSsHTA
> > =KqXV
> > -----END PGP SIGNATURE-----
> >
> > Dan then tells the boss, "I sent the email to Tracy."
> >
> > Tracy claims, "I never got any such email.  He probably just made
> > the email, faked the date and then signed it to make it look legit.
> > He's lying!"
> >
> >
> > ====================
> >
> > Assuming the mail server administrators have no sense of logging or
> > auditing, what can Dan do to provide "proof" of sending?
> >
> > Thanks again everyone!
> >
> > --SR6
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091013/27af3363/attachment.htm