The author mentions HMAC at the end. I think HMAC is really an underrated technique. I remember reading Colin Percival's classic <i>Cryptographic Right Answers</i>[0] and saw a section about "symmetric signatures." I pondered to myself what scheme I could use for that before I looked at the answer: of course it's just HMAC. I feel like this is another perspective that ought to be more widely known: if you want something to be like a signature, but the two parties (or just a single party at different times) can share a key, HMAC really is the right answer. Things like, a server needs to cryptographically sign a cookie to prevent tempering: that's HMAC. Or a server needs to know an API request is coming from an expected client: that's also HMAC.<p>[0]: <a href="https://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html" rel="nofollow">https://www.daemonology.net/blog/2009-06-11-cryptographic-ri...</a>
This article is very relevant in the context of the EU Digital Identity Wallet, and digital credentials in general, such as ISO/IEC 18013-5 mobile driver licenses and other mdocs.<p>We may accidentially end up with non-repudiation of attribute presentation, thinking that this increases assurance for the parties involved in a transaction. The legal framework is not designed for this and insufficiently protects the credential subject for example.<p>Instead, the high assurance use cases should complement digital credentials (with plausible deniability of past presentations) with qualified e-signatures and e-seals. For these, the EU for example does provide a legal framework that protects both the relying party and the signer.
To me, DKIM doesn't prove that the user john.smith@gmail.com sent that email. It proves that gmail.com sent it.<p>I'd avoid trusting FAANGs in courts when the fate of political leaders is at stake.
I am a user, but not expert in cryptography, but I find the title of the article to be bait and switch. A more accurate title would be "Pitfalls of using Digital Signatures and Possible Alternatives".
> As well as authenticating a message, they also provide third-party verifiability and (part of) non-repudiation.<p>I think digital signatures and third party verification are an incredibly useful feature. The ability to prove you received some data from some third party lets you prove things about yourself, and enables better data privacy long-term, especially when you have selective disclosure when combined with zero knowledge proofs. See: <a href="https://www.andrewclu.com/sign-everything" rel="nofollow">https://www.andrewclu.com/sign-everything</a> -- the ability to make all your data self-sovereign and selectively prove data to the outside world (i.e. prove I'm over 18 without showing my whole passport) can be extremely beneficial, especially as we move towards a world of AI generated content where provenant proofs can prove content origin to third parties. You're right that post quantum signature research is still in progress, but I suspect that until post-quantum supremacy, it's still useful (and by then I hope we'll have fast and small post quantum signature schemes).<p>EU's digital signatures let you do this for your IDs and <a href="https://www.openpassport.app/" rel="nofollow">https://www.openpassport.app/</a> lets you do this for any country passport, but imagine you could do this for all your social media data, personal info, and login details. we could have full selective privacy online, but only if everyone uses digital signatures instead of HMACs.
Slightly off topic:<p>In school I only took one cryptography class (it was bundled with networking, at that), and to this day I still think it contained some of the most amazing concepts I've ever learned. Public-key cryptography being on the short list along with cryptographic hash functions. Maybe it's my particular bias, or maybe cryptography has just attracted some of the most creative genius' of the 20th century.