vedaal <vedaal(_at_)hotmail(_dot_)com> wrote:
----- Original Message -----
From: "Terje Braaten" <Terje(_dot_)Braaten(_at_)concept(_dot_)fr>
To: <ietf-openpgp(_at_)imc(_dot_)org>
Sent: Monday, May 20, 2002 7:31 PM
Subject: RE: secure sign & encrypt
[...]
> The problem is that most users when they decrypt a message
that is signed, they will think they can be sure the signer
and the encrypter is the same person/entity.
It would be a major improvement in the OpenPGP specification
to allow applications to ensure that that really is the case.
[...]
Functionally, that is the case now in Open PGP.
How can that be? Which functionality in Open PGP are you referring to?
Is it specified anywhere in the RFC?
Even though a signed and encrypted message can be separated into a
verifiable free standing signed message, and then
re-encrypted and sent on to someone else,
it 'cannot' {afaik} be re-combined into a signed and
encrypted message that
appears the same as a de-novo signed and encrypted message.
The most that can be done with the separation and
re-encryption, is to have
a message, that upon decryption, is clearsigned,
or armored signed, and even the armored signed message is clearly of a
different form than a de novo armored signed message;
{a de novo armored signed message always has the message
block begin with
the letters 'ow', the separated armored signed
message never does}.
Someone receiving a re-encrypted separated signed message,
can instantly
tell upon decryption, that it was an 'intentionally'
re-encrypted message, and not an original.
If the attacker only an ordinary user, that might be the case.
But if who the message is supposed to be encrypted to is not signed
when the signature is added, it is only a matter of being a good programmer
to fake a "signed & encrypted" message, given the Open PGP standard
as it is today.
We should not rely on security through obscurity.
--
Terje Bråten