19 December 1999

Date: Mon, 13 Dec 1999 12:57:32 +0000
From: Pete Chown <Pete.Chown@skygate.co.uk>
To: UK Crypto <ukcrypto@maillist.ox.ac.uk>
Subject: Stephen Byers Electronic Signature

The Stephen Byers message [below] was interesting cryptographically because the security of the system depended on two keys.  The first was Stephen Byers' own key, while the second was the key of the web server on which you could verify the message.  If the web server could be compromised, it could claim that messages were signed by Stephen Byers even though they were not.

As it happened, we managed to do exactly this.  There was a page on the web server that would display Stephen Byers' message. Unfortunately this web page would display *any* message, not just one which was fed to it by the other pages on the same site.

We played around with this, and before long Stephen Byers had "said" that he disagreed with the GAK provisions in the RIP Bill.  At the bottom of the message we put the TrustWise logo, and if you clicked on it it would tell you that the site was genuine.  Of course, because it really was the demo-trustwise site, the certificate had the right name in as well.

A little while after this we had a phone call from BT, and they talked about their trademark rights in the TrustWise logo, and various other things, so we had to take the demonstration off our web site.

However, you can still get more information at:

http://www.skygate.co.uk/trustwise.html

- and -

http://www.skygate.co.uk/press.html

(The functionality to view Stephen Byers' message has now been removed from the BT site, which closes the security hole.)

----------------------------------------------------------------------
      phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post:
  Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ

[Thanks to Anonymous]

[Declaration was electronically signed by The Rt Hon Stephen Byers MP, Secretary of State for Trade and Industry, at an event organised by InterForum and the Financial Times on 7th December 1999.]

Stephen Byers Electronic Signature







FINANCIAL TIMES / INTERFORUM EVENT 7 DECEMBER DECLARATION BY SECRETARY OF STATE

Whether you are reading this on paper or on the internet, you are reading the same words and receiving the same information.

The Internet provides a way of dramatically increasing the civil liberties of the citizen. For this reason I am opposed to the GAK provisions in the RIP Bill.

This declaration was electronically signed by The Rt Hon Stephen Byers MP, Secretary of State for Trade and Industry, at an event organised by InterForum and the Financial Times on 7th December 1999.

To verify the signature, click the wax seal at the top of the page.

A page similar to this resided on the Skygate site. When users clicked on the wax seal, they were taken to the BT TrustWise site.

The page users were taken to was supposed to be used as part of the verification process. Obviously when you were verifying the Stephen Byers signature, you didn't just want to know that the signature was valid. You also needed to know that you were verifying the signature on the document you thought you were.

To this end, BT provided a page that displayed the Stephen Byers statement. Unfortunately, however, it got the content of the statement from an HTML form on the previous page. Skygate wrote a page of their own which had an HTML form on it; click on the wax seal to see what happened...