What is the problem I try to solve? I thought that had been clear
through the many mails I sent, but let me try to explain again.
1) Don Davis has a pretty good description of the problem in
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
He lists many good reasons why this is a problem in section 4.
2) Many users seem to think that PGPs sign & encrypt function is atomic.
We can try to teach them that is never was so, and never will be
(a bad solution in my opinion) or we can give the users what they
want/expect and make it possible to have an atomic sign & encrypt
in PGP.
To word the problem in another way, when Alice send a message to Bob
that is signed and encrypted, Bob should be able to be sure that it
was Alice that encrypted the message.
Description of attack:
Alice send a signed & encrypted message to Charlie. Charlie decrypts
it and encrypts and sends it to Bob, trying to convince Bob the message
comes directly from Alice. Since Bob see the message is apparently
made by sign & encrypt he thinks it must be Alice that has encrypted it.
Some solutions:
- Teach Bob not to trust PGPs sign & encrypt to know who the sender
of the message is when it is not in the plain text of the signed
message.
- Make PGP use Encrypt, Sign and Encrypt. (Slower
encryption/decryption
and bigger messages.)
- Add fingerprints of recipient keys in signature packets (Requires
a change
in the protocol)
--
Terje Bråten