ietf-openpgp
[Top] [All Lists]

Re: secure sign & encrypt

2002-05-23 05:50:12

Terje Braaten <Terje(_dot_)Braaten(_at_)concept(_dot_)fr> writes:

The problem is that even though sign & encrypt is not atomic
now, that is what most users expect. I do not find it
satisfying as a programmer to have to say to the users
"Sorry, but the OpenPGP protocol do not allow any atomic
sign & encrypt that would have solved your problem, so
you will have to do without."

I disagree that all users are calmoring for this feature, but I
suppose we will have to agree to disagree on that.

Adding a new signature packet called 'encrypted to' (or something
like that) would allow OpenPGP applications to implement
such an atomic sign & encrypt. It could say in the protocol
that an application MAY implement atomic sign & encrypt,
and if it does, it MUST do such and such.

Just so long as the user has to specifically specify this
functionality.  Note that this is a tradeoff and you LOSE a nice
feature of PGP in the process.  The feature that you lose is
repudiation of the recipient of a message.  You can honestly say to a
judge "I have no idea how he got that message -- I didn't encrypt it
to him".  Maybe you don't consider that a feature; some people do.

My suggestion for a protocol for atomic sign & encrypt is
that the application MUST make an 'encrypted to' packet in
the signature for each key the message and signature packet
is encrypted to in the encryption packet.
These 'encrypted to' packets MUST be in the signed part of the signature.

As has already been suggested, the Notation packet can already do
this.  Just create an "encrypted-to" notation convention and publish
it as and RFC (and then convince people to implement it).  You do not
need any new packets to do what you want.

An application that implement decrypt & verify MUST/SHOULD warn the user if
the key used to decrypt the message is not found in an 'encrypted to'
packet in the signature if the signature contains 'encrypted to'
packets and thus indicates that the message is created by an atomic
sign & encrypt.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord(_at_)MIT(_dot_)EDU                        PGP key available

<Prev in Thread] Current Thread [Next in Thread>