Message Signatures
========
5. Message Signatures
========
5.1. What is message signing?
Let's imagine that you received a letter in the mail from someone you know
named John Smith. How do you know that John was really the person who sent
you the letter and that someone else simply forged his name? With PGP, it is
possible to apply a digital signature to a message that is impossible to
forge. If you already have a trusted copy of John's public encryption key,
you can use it to check the signature on the message. It would be impossible
for anybody but John to have created the signature, since he is the only
person with access to the secret key necessary to create the signature. In
addition, if anybody has tampered with an otherwise valid message, the
digital signature will detect the fact. It protects the entire message.
========
5.2. How do I sign a message while still leaving it readable?
Sometimes you are not interested in keeping the contents of a message
secret, you only want to make sure that nobody tampers with it, and to
allow others to verify that the message is really from you. For this,
you can use clear signing. Clear signing only works on text files, it
will NOT work on binary files. The command format is:
pgp -sat +clearsig=on
The output file will contain your original unmodified text, along with
section headers and an armored PGP signature. In this case, PGP is not
required to read the file, only to verify the signature.
========
5.3. Can't you just forge a signature by copying the signature block
to another message?
No. The reason for this is that the signature contains information
(called a "message digest" or a "one-way hash") about the message it's
signing. When the signature check is made, the message digest from
the message is calculated and compared with the one stored in the
encrypted signature block. If they don't match, PGP reports that the
signature is bad.
========
5.4. Are PGP signatures legally binding?
It's still too early to tell. At least one company is using PGP
digital signatures on contracts to provide "quick agreement" via
E-mail, allowing work to proceed without having to wait for the paper
signature. Two USA states (Utah and Wyoming) have passed laws
recently giving digital signatures binding force for certain kinds of
transactions. The Wyoming law is available from:
gopher://ferret.state.wy.us/00/wgov/lb/1995session/BILLS/1995/1995enr/
House_Bills/HEA0072
(whew!)
This non-lawyerly mind sees two questions which need to be considered.
First, a "signature" is nothing more than an agreement to a contract;
verbal "signatures" have been upheld before in court. It would seem
that, if such a dispute were to arise, that a valid digital signature
could be seen as evidence that such an agreement was made. Second,
PGP keys are much easier to compromise than a person's handwritten
signature, so their evidential value will by necessity be less.