XFDL: The Extensible Forms Description Language

The Digital Signature Problem

For a technology to offer digital signatures on transaction records is not enough. To see why, consider the purpose of digital signatures. The typical text-book formulation for the digital signature algorithm states that a signature S for a message M is formed by the function Encrypt(hash(M), PrivateKey), and that verification of signature S is formed by testing the equality of hash(M) and Decrypt(S, PublicKey). The hash() function must be a mathematically sound method of measuring change in M. Actually, one well-known shortcoming in this formulation is that the security it offers is dependent upon the reliability of the method for delivering the public key to the verification phase. Public Key Infrastructures (PKIs) are one method of solving this problem, and its seriousness may be measured by the current enormity of the PKI industry. There is another problem, equally important, at the opposite end of the formulation above -- during signing.

Consider this question: Why is the signer signing M? The signer of M is not an island. The signer affixes a signature only when it is necessary to give M to another party -- the verifier. Because M has a source and a destination, it is essentially a transaction record. The nature of the transaction must be important to the parties or there would be no need for a signature. The digital signature authenticates both the message content and the message signer, but what if the message does not contain sufficient information to capture the nature of the transaction? You expect the digital signature to offer nonrepudiation of the transaction, but this is only satisfied by nonrepudiation of M to the extent that M completely represents the transaction.