3

I'm in the planning stage of an open-source credit clearing system, and my idea is to use GPG keys to sign IOUs. But I'm concerned that if Bob signs an IOU he emails to Alice, then later deletes his keys, creates a new keypair and uploads his new key to keyservers, he'll be able to plausibly deny ownership of the IOU. Is there some programmatic way of proving a key once belonged to the owner of the email account that sent the signed email? My google-fu is failing me on this one.

Update: "non-repudiation" is the word I was looking for. Still researching...

jcomeau_ictx
  • 37,688
  • 6
  • 92
  • 107
  • 1
    You will need to separate the concepts of identity and security. And no one user should be able to declare their own identity without peers acknowledging them as such. You might want to study the BitCoin architecture, it is pretty robust. – Perception Jun 29 '11 at 20:14
  • thanks, I've made an attempt with BitCoin but it's too complex for me. peer acknowledgement could be by other users of the system signing Bob's public key, correct? but that still wouldn't prevent him from deleting it would it? – jcomeau_ictx Jun 29 '11 at 20:19
  • This happens in "the real world" too. It's just a little more complex out here ;-) As such, there is no way to [entirely] prevent this problem, without establishing some form of proven trust *with* methods of ensuring accountability. –  Jun 29 '11 at 20:29
  • Yea BitCoin is very complicated. Before we go further though, are you planning on implementing/extending your own key server? – Perception Jun 29 '11 at 20:36
  • It doesn't prevent deletion, but it does mean that the signers can vouch for the older key being his; he loses plausible deniability... unless he can convince the signers to play along. That last is why real world systems are complex; before you try to invent your own system, do you know all the possible failure modes of your trust model? If not, use a known system. – geekosaur Jun 29 '11 at 20:57
  • sorry I haven't been responding, I've been a little luckier with google searching for "using public key to prove identity". haven't thought about implementing a keyserver. currently looking into the Gossamer Spider WOT. thanks for the ideas, I'll do some more studying. – jcomeau_ictx Jun 29 '11 at 21:03

1 Answers1

1

Most of the time non-repudiation is achieved with cryptographic time-stamps. A time-stamp is a proof of existence of a document at a given time and is issued by a trustworthy third-party with sign the document hash along with the time at which this document was submitted.

I do not know GPG model very well but there is probably something like a certificate which binds the public key with the key owner identity. You have to time-stamp this certificate. Actually you should also time-stamp a proof that that Bob's key is not revoked. In X.509 this is achieved by time-stamping the current revocation list which proves the "not revoked" status the key.

Cryptographic time-stamp are standardized in RFC 3161

More globally you point out one of the numerous issues and complexity of advanced digital electronic signatures: non-repudiation, long-term validation, signature commitment rules... This is the main goals of AdES standards (CAdES, XAdES and PAdES)

Jcs
  • 13,279
  • 5
  • 53
  • 70
  • I can use X509 if necessary. I still don't understand this fully but it's most likely what I was looking for. Thanks for the answer and the links. – jcomeau_ictx Aug 17 '11 at 03:36