Public Pastes
daily pastebin goal
48%
SHARE
TWEET

Untitled

a guest Mar 4th, 2012 30 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. PGP keys can be used to sign any logical assertion. These statements can therefore burnish, or damage your reputation. By collecting these statements you can learn both about the world around you, and about the validity, or invalidity of different keys. Once you know which keys reliably sign truthful, logical statements thare are useful to you, you know who to trust.
  2.  
  3. When we're born we have neither a key, nor a collection of signatures. We simply implicitly trust anyone who we can't personally verify is untrustworthy. So if your parents say don't touch the hot iron, you can verify this is true, hopefully by testing with a doll and not your hand, and if your parents say Santa Claus comes once a year to deliver presents to good little boys and girls, you can verify this by staying up late to meet Santa. The people you trust initially you may not continue to trust, but as you learn about how and when they are trustworthy, you can live a better life by understanding what is implied in the statements that they make.
  4.  
  5. The problem comes once people start impersonating each other. When a salesman knocks on your door, how do you know it's a salesman and not something urgent? By impersonating someone urgent, so urgent as to physically knock on your door, the salesman attempts to fool you into trusting him or her. They might after all be trustworthy, but this is a method to acquire trust without earning it, that is, to get you to make a bad decision for yourself. The problem of impersonation becomes compounded once you start engaging in indirect relations. Suppose you meet someone you've never seen before, but he swears your mother told you to come with him and get in his van. He's impersonating your mother in this case, but indirectly, by claiming your mother claimed something that she did not.
  6.  
  7. If you know the person speaking in behalf of your mother, and you know this guy is totally legit, then he can speak for your mother even when she's not there. But perhaps you've forgotten this person, or perhaps you didn't have time to earn most intimate trust with them. In such cases, you can't tell the difference between an impostor, and someone legitimately taking you to your endangered mother in his van. The only thing you can do in this case is to actually go to your mother and ask her directly, something you may not be in a position to do. Indirect trust, in this case, seems impossible.
  8.  
  9. Enter digital signatures. What if you could find a method that you could verify yourself, by which someone could sign a statement, and unlike pen and pencil signatures, it is not only easily verified, but if the document being signed is tampered with at all or modified, then the signature no longer verifies. That is to say, you can run a program, and this program will only return "Valid" if the signature is from who you expect, and if the message has not been modified since they tampered with it.
  10.  
  11. Furthermore, let's say these signatures are all verified with a special "public" key, a seemingly random number that when paired with a correct signature, will be able to verify it.
  12.  
  13. Now you can positively assert that it's safe to get in this guy's van. What your mother does is make sure you have her public key when you leave for school. Then, when she is in trouble and needs to enlist the aid of a trusted friend, whom you don't know, who has a van, here's what she does. She signs a statement saying "This guy is legit." But which guy is "this guy?" She makes sure to add the number for his own public key in the statement. "This guy (123456444) is legit."
  14.  
  15. Now you can both verify that it's your mother's statement, and that it's about this strange guy with the rusty van. What you do is you craft a challenge, so just pick a number between 1 and 10 let's say. Let's say you pick 6. Then what the guy must do is sign the number 6 (realistically challenges are much harder to guess all possible answers). Keep in mind the guy does not use his public key to sign the statement. I haven't said how he signs it, only that he can, and it obeys the above properties.
  16.  
  17. So you already have your mother's key. She's not here right now, but she was personally there to hand you her public key earlier. You take her key and compare it with the signature of the statement "This guy (123456444) is legit." Once her signature checks out, you can be sure she was actually in the presence of this statement, and actually signed it. So whoever can sign stuff for key 123456444 is "legit".
  18.  
  19. That's what the challenge is for. Once the guy signs your challenge and gives you the response, you can compare it with the public key 123456444. As with what I said above, his signature will only prove valid for that public key if it is his public key. This might seem outlandish, but it is in fact very feasible for many application. By validating his signature of your challenge, you verify that he controls the key 123456444. By controlling that key, he is entitled to whatever your mother claims in her statement about that key. Of course, remember what your mother said about Santa Claus, so she might not be correct, or might even be lying! But checking her statement against her public key, and making sure the guy has the public key she refers to, it's as good as if she were right there next to you saying "This guy is totally legit."
  20.  
  21. The way to create these signatures, which only verify via one single unique public key, and cannot be created by anyone other than the person who controls them, by the person who is them, is called private keys. A private key is another seemingly random number, but unlike the public key you never share it with anyone. In fact this private key might be the most carefully guarded secret you ever have! What you can do with this private key is create signatures which verify with the public key. No other method can be used to create these signatures. If you look at the math it would take a zillion CPU cycles to forge one of these signatures without first having the private key. But with the public key, whether it is a correct signature, or just a random sequence of bytes, can quickly and easily be verified. They call that asymmetric cryptography cryptography because it's deliberately hard to decode (and forge) signatures, and asymmetric because it's easy to validate existing signatures, easy for a computer at least!
  22.  
  23. The problem of a private key being stolen can be managed with temporary private keys, which stop working after a day, or with legal identities, which stop working once the government is after you (they're after you, by the way), or by pass phrase protection, which is only as good as the complexity of a phrase you can memorize. No solution is perfect to protect your private key, but it's a hell of a lot more secure than just trusting some guy who told you your mother wants you to get in his van. You can do things like build relationships without needing to be physically present, or learning things about people you don't know. Plus the longer a private key has not been stolen, the more assured you can be that it's difficult to steal, so like in any friendship, the friendships you make with digital signatures improve with age.
  24.  
  25. In particular, you can sign receipts, for when someone does something good for you. Let's say I fix your plumbing, and you digitally sign a statement saying I did it, free of charge. What does that statement represent? Well, it represents that I've done something good for you, and people should pay close attention to statements like that. By analyzing the statements signed about me, you can make a prediction as to whether I will in the future be helpful or not. That is in fact the exact thing that money does! The whole idea about money is that if I have money, then it is a sort of a record of how benevolent I was in the past, so you can offer me products and services without fear that I won't reciprocate in some way, some time in the future. In fact, if you look at dollar bills, you can see the phrase "Federal Reserve Note". These bills are in fact signed statements from the Federal Reserve saying "Whoever holds this is totally legit."
  26.  
  27. You might notice some problems with money here. First it's not a digital signature, so what if people copy it? It's very expensive, and takes a lot of imprisonment and police brutality to prevent people from doing so in fact. Digital signatures need no such enforcement because they quite simply cannot be forged. Another problem with money is that you have to give it away. If you work for 40 hours and make yourself a paycheck, then spend that paycheck, what happened to those 40 hours you worked? Sure you might have spent them on something, some good or service, and now you have stuff, but that stuff proves nothing. Wouldn't it be better if you just kept all the money you made, and simply compared who has more to see if you give something to them, or if they give something to you? A third problem with money is, if it weren't obvious, they're all statements by the Federal Reserve. Do you know who works at the Federal Reserve? Do you know who decides who gets the statements? Do you trust these people, like you would trust your own mother? When your boss gives you money in exchange for work, you can't rely on your boss to back these statements up. Even if your boss wants to help you, the only person allowed to make these "money" statements is not him, nor his boss, nor his banker, nor his banker's banker. Only the person running the Fed can make that decision ultimately. Some creep named Bernancke I think. Does he always make decisions for the good of others, and not to help his friends? Why should he? And if he doesn't, how trustworthy then is money? Maybe if he was your friend, but he doesn't make friends easily, if you ever noticed.
  28.  
  29. And the fourth problem with money is that money is not issued to someone in particular. The statement "Whoever holds this is totally legit." can be stolen. With digital signatures, only private keys can be stolen, but with money every single statement can be stolen, the ones you're required to carry around in your wallet, in order to purchase stuff at the store! Cheques are an attempt to deal with this, but even they are quite inferior. They aren't digitally signed, so people can forge them. They aren't verified by the bank, so they can let the checks bounce and charge you exhorbitant fees. To verify a signature reliably is an expensive forensics operation, which never produces an answer with 100% reliability. Do you sign every cheque the same way every time? How's a store clerk supposed to verify that your check was signed right, before letting you walk out the store with that new kickass boombox?
  30.  
  31. Digital signatures have none of these problems, not a single one. Sure your private key could be stolen, but with money your private key already is stolen, and being held by a crook named Ben Bernancke who tells you that you're still supposed to use it even though it's worthless. Besides that, digital signatures cannot be forged, can easily be verified, can be issued not just to someone's legal name, but to their own unique key identity, something they need no government or centralized bureaucracy to prevent anyone from impersonating. Really they're superior to money in every way. So that's why I encourage the use of digital signatures, to sign receipts of acts done in benevolence. Sure you can sign legal identities if you like, but by signing receipts, every signed receipt you have is better than money. In economic crises which seem to pop up with more and more regularity, your signed receipts will still be a reliable record of whether you are a crook or a saint or anywhere in between, and you can use that to survive despite the sad people walking around with wheelbarrows full of dollar bills.
RAW Paste Data
Pastebin PRO WINTER Special!
Get 40% OFF Pastebin PRO accounts!
Top