On Fri, 22 Aug 2003 01:49:23 -0700 Adrian von Bidder
[...]
vedaal:
that did not reflect the intent of the sender, who would never
think
of posting it unencrypted.
If you send sensible content to somebody you can't trust to keep
it secret,
there's no technical solution to solve that problem. Don't send
that person
any sensible content - encrypted or not.
consider the case of a high-ranking corporate employee who left a company
on unfriendly terms,
or a pt./dr/ communication where, at a later date, the pt. is suing the
dr.
the content of the communication was perfectly appropriate in encrypted
form, at the time it was communicated
but,
if it is (maliciously, anonymously) posted by the receiver,
the reciver can claim that the dr. violated medical privacy issues,
and someone in the corporation can claim that the sender 'leaked' sensitive
material to a public forum
of course, the sender can counter:
"i didn't do it !
it was a malious reconstruction of the message by the receiver into clearsigned
form!"
but this still leaves some doubt ...
[...]
The recipient can publish the E/S/E message without the outer encryption
layer. Then he publishes the decrypted message and his public key.
Everybody
can the generate the encrypted message and, with the signature,
verify that
it is the same message. So this "solution" falls apart, too.
no it doesn't,
if the sender doesn't routinely encrypt to self,
then even if the receiver publishes the session key, then the 'leak'
can unequivocally be shown to be the receiver
the point is,
can there be an additonal packet feature that somehow distinguishes
a signed and encrypted message, from a clearsigned one
(which could be done in backward compatible form, where older versions
might not 'recognize/be able to interpret' the new packet, but could
decrypt anyway,
while newer versions could be used to distinguish the signature/message
type.)
with Respect,
vedaal
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427