You need a trusted third party. Someone who also can attest that they have a copy of the checksum (or the data) that can stand up and be a sworn witness if necessary. Tricks like the old "print a hash in the new york times" are a way of essentially bootstrapping thousands of trusted third parties. Legal issues, at present, always boil down to trust. Evidence is not "proof" because actual proof is very very hard to come by. Remember, you can't prove a negative and it's really hard to prove a positive. Legal guilt and innocence depends on how well you can create a version of reality that a jury accepts. Some juries might find a lot with a detached checksum to be more "real" but others would just get confused by the whole idea of checksums. Some juries would totally comprehend the idea of "we send a copy of our logs to bob, who keeps them safe and has no vested interest in their contents." It's all about how vivid a story you can tell. Personally, if I EVER had to deal with a jury I would avoid mentioning ANYTHING that had to do with encrpytion because it's simply too darned geeky and juries get skittish about geeky stuff like DNA evidence, encryption, and glove sizes. mjr. >> I may be showing my ignorance here, but can someone explain to me how >> checksums *by themselves* actually "prove" the data hasn't been tampered >> with? --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjrat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 12:38:04 PDT