Dominikus Scherkl <Dominikus(_dot_)Scherkl(_at_)glueckkanja(_dot_)com> wrote:
Your proposal for an extra packet does not address this alleged
flaw.
Note that Alice could sign a message saying "encrypted to
Bob", and then
encrypt and send the message to Charlie, thus framing Bob
for breach
of confidence.
No, because then Charlie would know it was something fishy going on.
He would not now if Alice or Bob (or some one else) was to blame,
but he would get a warning message saying that this is an invalid
signed & encrypted message.
Hey, this is an attack at _Bob_ - Charlie don't needs to be nice!
The simple possibility of such attacks discredits the trust in beeing
the original receiver of a message, so we gain nothing!
The only one that could mount such an attack is Alice, the
person that has signed the message. So such an attack would be easily
traceable. The trust in who is the original receiver of a message
will depend on that you trust the signer if test to see if
the signer and encrypter is the same person is false.
Yes, that makes this method a bit weaker than ESE. When the test
fails you cannot infer anything about who was the real recipient.
But if the test to see if the signer and encrypter is the same person
returns true, then you can indeed be sure that the signer and
encrypter is the same person.
--
Terje Bråten