jik@athena.mit.edu (Jonathan I. Kamens) (08/30/90)
(Note the cross-posting and followup-to line. This conversation at this point has very little to do with EFF, and much to do with cryptography, so it really belongs in sci.crypt. I suggest we confine discussions of how cryptography relates to the EFF in general to comp.org.eff.talk, and discussions of how PEM and other encryption schemes work to sci.crypt.) In article <2994@mindlink.UUCP>, a577@mindlink.UUCP (Curt Sampson) writes: |> Your ideas to eliminate directories strike me as very good ones. I'll |> definitely keep them in mind. They're not my ideas, they're the ideas of the people who designed PEM (see RFCs 1113, 1114 and 1115). But thanks for the credit anyway :-). |> Keep in mind that if I had signed a contract a year ago and then |> made public my private key so that I could claim that I hadn't signed it, it |> would enable *anyone* to read *any* of my correspondence for the past year. This is only true if they actually have read access to the correspondence. Personally, I don't keep any of my mail world-readable, so this wouldn't be a problem for me, and if you are sending sensitive information over the mail, I would suggest that you print it out and then delete your on-line copies as soon as possible. So this isn't really much of a problem. |> It would also |> enable people who had signed contracts with me to claim that anything I had |> allegedly signed might be forged. Not really, if you say, "I just discovered that my private key was accidentally made public on <insert date here>. Anything signed with my key on or after that date may not have actually been signed by me. However, I am certain that anything signed with me key before that date was definitely done by my own hand." In any case, contracts are almost certainly going to end up being valid unless proven otherwise, so it's not going to be, "Well, my private key was leaked, so *everything* signed with it is invalid." That's like saying, "Someone forged my signature on one contract, so all the contracts with my signature on them are forged." |> As was also pointed out, if you multiply two primes together to get your public |> key, *both* primes make up the private key, not just one of them. Kpub = P1 * P2. If Kpriv = P1, then you can derive P2 = Kpub / Kpriv. Therefore, the only information *required* in the private key is one of the two primes. The other prime may be preserved for efficiency reasons, but it is not required. That was my point. Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8495 Home: 617-782-0710