February 01, 2003
Challenge and Response
Is there a way to sign items in RSS feeds or HTML pages such that something that cared could challenge the authenticity of it? This is a rhetorical question as there isn't one... yet.
I ask this because the same sort of challenge response mechanism could be used as a way for someone to control the presense of their items in a place like aan index or an archive. If you wanted an item taken out of an archive, how would you do it? If the original has a signature that only you could create then it could be used as a means for you to later affect it's existence. This is a problem that has long plagued usenet (cancel posts). There's not a good way for the various systems to interact in an automatic fashion.
Dear, Bill
I encounter this site, and first time to
write the comment...
I believe that this is very important
issue. All information can have the identity
where it belongs. I have been working on the
PKI and security systems over several years.
From that experience, I would say that a very
simple solution is desiable, sucu as email
signature like PGP, or S/MIME for email glog.
This issue includes ownership, which means that you have to prove the binding between your identity and its singnature. This leads
the concept of digital signgature certificate.
When you import the concept of certificate, the system often becomes a complex.
I would suggest that you may need to think about
the security domain where your authenticity and
ownership should be applied. If your ownership
should have a legal effect in court, probably the X.509 certificate is the way to go, along with the
digital signature legistration in each country.
However if not, PGP is enough probably.
Since this is very much interesting, but new to this area, I will take a look at this world first and comment it again.
-Kiyohi
Kiyoshi Watanabe
I speak only for myself, nor my company nor my
organization.
Thank you for the comment.
I agree with you. For most situations using PGP is probably enough. For others, using 'real' certificates like X509 are much more authoritative.
What we have to do is get people started on the idea of USING a signature at all. Right now there's very poor support for easy use of signatures. It's getting better but it's still nowhere near as automatic as it needs to be.
Posted by: Bill Kearney on February 8, 2003 12:12 PM
