On Sun August 14 2005 12:36, Hal Finney wrote:
I have changed the subject line as this is in regard to Ben's citation
of Hugo Krawczyk's paper on the order of signing and encryption,
http://eprint.iacr.org/2001/045, also published in Crypto 01.
This paper doesn't apply to systems like OpenPGP which compose public
key signatures with public key encryption. Rather, it investigates
the
composition of symmetric encryption (e.g. AES) with MAC.
The same cannot be said of Davis' analysis of issues in
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
Davis is merely making a mountain out of a molehill. Cryptography
cannot protect you from sending a message to a bad actor. Not even
things like OTR can [1]. A word to the wise is that you shouldn't sign
any message that you would be embarrassed to be made public.
Nonetheless, there's definitely a need to have secure messages that
aren't signed. That's why we have the MDC construction in OpenPGP, so
that you can have a reasonable assurance that a message arrived to you
intact.
Jon
[1] This is not a slam on OTR, which I think is brilliant. It is merely
an observation that if you use a full privacy-enabled system like OTR
and someone pastes a copy of your conversation into their livejournal,
the people who read that transcript will presume it to be accurate.
Furthermore, the fact that you used a juicy technology like OTR will
make people *more* not less likely to believe it was accurate. This is
an observation on human nature.