[Top] [All Lists]

Re: Davis paper revisited // separation of signed and encrypted messages into clearsigned messages

2003-08-22 07:42:56

On Fri, 22 Aug 2003 01:49:23 -0700 Adrian von Bidder 


that did not reflect the intent of the sender, who would never
of posting it unencrypted.

If you send sensible content to somebody you can't trust to keep
it secret, 
there's no technical solution to solve that problem. Don't send
that person 
any sensible content - encrypted or not.

consider the case of a high-ranking corporate employee who left a company
on unfriendly terms,

or a pt./dr/ communication where, at a later date, the pt. is suing the

the content of the communication was perfectly appropriate in encrypted
form, at the time it was communicated


if it is (maliciously, anonymously) posted by the receiver,
the reciver can claim that the dr. violated medical privacy issues, 
and someone in the corporation can claim that the sender 'leaked' sensitive
material to a public forum

of course, the sender can counter:

"i didn't do it !
it was a malious reconstruction of the message by the receiver into clearsigned

but this still leaves some doubt ...


The recipient can publish the E/S/E message without the outer encryption

layer. Then he publishes the decrypted message and his public key.
can the generate the encrypted message and, with the signature,
verify that 
it is the same message. So this "solution" falls apart, too.

no it doesn't,

if the sender doesn't routinely encrypt to self,
then even if the receiver publishes the session key, then the 'leak'
can unequivocally be shown to be the receiver

the point is, 

can there be an additonal packet feature that somehow distinguishes
a signed and encrypted message, from a clearsigned one
(which could be done in backward compatible form, where older versions
might not 'recognize/be able to interpret' the new packet, but could
decrypt anyway,
while newer versions could be used to distinguish the signature/message

with Respect,


Concerned about your privacy? Follow this link to get
FREE encrypted email:

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program: