Well, it is not only to add a new packet, but also add to
the user programs a check that if the packet is present in
the signature, the signature block should come from
decrypting a message with one the expected keys.
Clear signed messages should pose no user problems, because
the users generally understands that such the cryptographic
software will not give any confirmation of the origin of the
message.
The problem is that most users when they decrypt a message
that is signed, they will think they can be sure the signer
and the encrypter is the same person/entity.
It would be a major improvement in the OpenPGP specification
to allow applications to ensure that that really is the case.
Have you read the link
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
I really think it addresses a real problem.
--
Terje Bråten
-----Original Message-----
From: Hal Finney [mailto:hal(_at_)finney(_dot_)org]
Sent: 21. mai 2002 00:12
To: ietf-openpgp(_at_)imc(_dot_)org; Terje(_dot_)Braaten(_at_)concept(_dot_)fr
Subject: Re: secure sign & encrypt
There was quite a bit of discussion about this last year on the
cryptography mailing list. I thought Jon Callas' message was good,
pointing out the wider ramifications of this kind of "failure":
http://www.mit.edu:8008/bloom-picayune/crypto/8891.
It is really not clear that solving it is as simple as adding a new
packet. There are still other ways that things can go wrong, such
as simply redirecting a clear-signed message. The fundamental problem
is that people don't understand what is protected and what isn't in
a signed mail message.
Hal