At 1:12 PM -0700 8/31/00, Eric Murray wrote:
>
>A small note: IW digitally-signing the releases would not
>have made a difference in this case-- the guy used his knowledge
>of IW's procedures to social-engineer IW into accepting the
>fake release without doing their usual checking procedures.
The system I envision would mean each chunk of text ("press release")
would carry a digital sig, which could be checked multiple times.
Hard for social engineering to get past the fact that Emulex, say,
had not digitally signed their own alleged press release.
The signatures could be part of the distribution to the world, or
with a short version and then a "full version, with signature"
available a click away.
Further, in a Web world there is no particular reason why a PR
newswire service would _ever_ exist except to provide URL pointers to
company PR sites. For example, a service could say "See Emulex web
site at blah blah for news."
(News services still have some role, of course.)
>
>When/if we do ever have the common use of digitally-signed PR, documents
>etc, I wonder how much people will be fooled into thinking that the
>contents must be correct, because after all, they're signed?
>
What such a signature on an alleged press release from Emulex means
is that someone with access to the Emulex signing key attached the
signature. This is all a digital signature can _ever_ mean.
--Tim May
--
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon" | black markets, collapse of governments.
