From: Hal Finney [mailto:hal(_at_)finney(_dot_)org]
Sent: 22. May 2002 19:09
To: ietf-openpgp(_at_)imc(_dot_)org; Terje(_dot_)Braaten(_at_)concept(_dot_)fr
Subject: RE: secure sign & encrypt
The problem is that this sign-and-encrypt issue is just the tip of
the iceberg. It is not worth redoing the protocol when there
other issues that will remain unresolved.
I disagree with this. The encryption of a message is much more
fundamentally linked to the signing of the same message, both in
practice and in peoples mind. Since we do have a function called
sign & encrypt in PGP, users will assume that it really is a secure
sign & encrypt, and that they can trust it to be one operation where
the signature and the encryption is linked.
Even more sophisticated users like f.ex. Vedaal on this list, seem to
think that already in PGP you can be sure that the signer is the same as
the encrypter if it appears that the message has been made by a PGP
sign & encrypt operation.
I read the paper and closely followed the extensive discussion on the
cryptography list when this came out last year. In my opinion the
consensus among the professionals on that list was that, properly
understood, there is more to this than a protocol flaw that can be
easily patched. It represents a fundamental property of
Some data is protected and some is not.
And I think we should make who the message is encrypted to a part
of what is protected, as long as PGP offers a function called sign &
The real solution is to put the entire email, headers and all, into
the signed envelope, and then for the receiving software to compare
the protected headers with those on the actual message. This will
detect substition of from/to lines as well as other changes, and will
work for both signed and signed+encrypted messages.
We do have data structures to support this via PGP/MIME and the
Message/rfc822 MIME type. However actually implementing this
functionality is difficult as it requires close integration with the
email software. In practice, probably only email software providers
would be in a position to provide this level of functionality.
Yes, this is really an issue that should go into the PGP/MIME standard
as well, and there also protect important headers in the mail like
To, From, Cc, Date, etc.
But here we discuss the core OpenPGP standard, and since it includes
detailed specifications on how sign & encrypt is to be done,
this also should be fixed in this standard.
Also note that this problem is not specific to messages sent by e-mail,
but applies to all messages that is signed & encrypted and may not
naturally contain a To or From field.