"Jim Schaad" <ietf(_at_)augustcellars(_dot_)com> writes:
I believe you have misunderstood the issue that Trevor raised.
His problem is:
1. I send you and him a single Authenticated Message.
2. He takes the common CEK in the original message, uses it to create a MAC
on an new message and then sends it on to you.
As is always true with Authenticated messages, there is no proof of origin.
He worries that you might be confused and believe the second messages was
from me rather than from him. Since they both use the same CEK that is not a
factor that could be used to distinguish them.
Ah, OK, thanks. How serious a threat is this in practice though? Wouldn't
people just use asymmetric auth if they're worried about proof of origin? I
realise it's kind of an interesting problem to solve, but does it need solving
beyond a security considerations note "If you're seriously worried about proof
of origin use a signature"?