[advocacy] Re: 1.0 Release? / CHIP 01/2002

Beni Cherniavksy cben at techunix.technion.ac.il
Wed Dec 12 10:00:04 PST 2001 


On 2001-12-12, Moritz Grimm wrote:

> Daniel James wrote:
> > I still think we need to nail down the 'security' question. Could
> > there be an Ogg encoder with GnuPG support to vorbize and sign files
> > in one operation? Then we could pose the question to musicians 'does
> > the 'secure' format you are using allow you to personally sign your
> > internet releases, or does it just stop people from listening to it?'
> >
> > Let's assume there's a free for personal use/fee for commercial use
> > licence in place. Digital signing would offer a mechanism to make
> > sure the right person got the commercial fees.
> >
> > Take the case of Moby. One of his tunes, or something that sounded
> > just like it, got used in a car advert without permission and he sued
> > (and won). A signed file could help prove that a track was released
> > before a certain date (and by whom), even if it was never issued on
> > CD.
>
> I'd appreciate something like that. But I also have some questions:
>
> 1. What if I lose my key, maybe due to some hardware failure? Can I
> still prove that something is mine?
> 2. Will it be easy to remove a signature? Imagine someone removing a
> sig, setting the date of his computer back to something else, and then
> resigning the tune. This person should not be able to make my tune his
> or hers that way.
> 3. Copyprotection in software is a laughable challenge to intelligent
> black-hats. The digital signature should be designed in a way that even
> black-hat ethics would be against writing tools to remove them. Is that
> possible or plainly naive?
> 4. Do we have the people that figure out whether such a signature would
> be watertight in court, at least in Europe and the US?
>
The only way this can reliably work is by having a trusted third party
store the signature.  Doing any signing in an encoder running on your
computer can maybe prove that it's yours (still breakable) but not the
time of it's creation.  You must involve a remote computer whose clock is
trusted.  One way, surely feasible, is to send him the file (or its
fingerprint) and have it store and/or confirm (with its signature) the
fact that you had this file at a given time.


-- 
Beni Cherniavsky <cben at tx.technion.ac.il>
                 (also scben at t2 in Technion)

--- >8 ----
List archives:  http://www.xiph.org/archives/
To unsubscribe from this list, send a message to 'advocacy-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.

More information about the Advocacy mailing list