I hear people imply that signing data is equivalent to proving they authored the data they're signing (ie "I own the data"). This is subtly wrong. Signing data proves:
- you had the private key that signed the data in your possession
- you had the data that you signed in your possession
It doesn't prove:
- you authored the data
- you "own" the data
Ownership of data is a weird concept to begin with. At most data ownership means you possess the data and maybe in some ethical or legal sense means you have a right to possess it. Digital signatures don't enhance the meaning of data ownership. I think when people say "I own the data" when they've signed the data but it's not in their physical possession, they mostly mean "I can prove I authored this data," but a digital signature only affords "I own the means of authenticating that I once possessed this data."
Proving authorship of data requires more than signing it. The way we prove we authored something is by demonstrating it was in our possession before anyone else. So if we wish to prove our authorship of data, not merely prove that we once possessed it, we need to both sign the data and timestamp the signature in an unforgeable way.
ScriptSig
in bitcoin