Daniel Nagy writes:
Imagine, that a conspiracy expects to be infiltrated. They send encrypted
messages back and forth but they have a dilemma: to sign or not to sign? If
they do sign, the infiltrator will have damning evidence on his hands and
the bad guys will be able to crack down on the conspirators. If they don't
sign, the infiltrator will be able to forge messages and thus seriously
interfere with the activities of the group (e.g. call off action in the name
of the ringleader, etc.).
These kinds of stories are often used to motivate cryptographic
constructions, but the real world generally doesn't work that way.
An infiltrator does not need cryptographic proof of his information
about who is in the conspiracy! After all, he doesn't have any such
proof in the physical world, yet infiltrators, informants and spies have
long been used as valuable sources of information.
I admit to a fondness for fancy crypto and it would be fun to see some
form of deniable authentication in OpenPGP, but realistically it is not
going to meet our customers' needs. If we do want to pursue it, there
are a number of technologies, like the DH shared keys you describe,
the signed ESK packets Vedaal mentioned, or ring signatures and other
variants of Chaum's designated-confirmer signatures.
Hal Finney