ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

2013-07-17 14:42:40
from [Ximin Luo] [Permanent Link] 
On 17/07/13 20:06, Daniel Kahn Gillmor wrote:

On 07/17/2013 02:27 PM, Ximin Luo wrote:

As per [2], if I ever sign a message consisting of "yes" or "no" or some 
other short message with very little context, the attacker (whom I encrypted 
the signed message to) could use this signed message in some other context, 
fooling people that I said something I didn't. One might argue "how 
unlikely", but it's still an unnecessary caveat (i.e. complexity) in using 
encrypted email, which will confuse people not familiar with the details.

My original point was that this attack is a specific example of a general 
design flaw in encrypted email - i.e. unsigned/unencrypted headers.


the attack you're describing above has nothing to do with encryption; it
has to do with signatures.

This is a fundamental vulnerability of any system that involves signed
data that is dependent for interpretation on unsigned context.  This is
also the case for (e.g.) clearsigned plain text files.



It is *mostly* to do with signatures yes, but encryption does play a part - it 
adds the implicit *non-signed* information that the data is a message TO 
someone. (Although I take your point, a signed non-encrypted email also has 
this implicit metadata, and is vulnerable too.) If you signed a self-contained 
plain text file, this is not necessarily the case.


It sounds to me like you're proposing a way that some additional context
could be automatically signed by compatible mail user agents.  I think
this is a fine idea, though i think it needs more detail than what has
been sketched out here thus far.  For example, what should a compatible
MUA do if the signed message contains a signed copy of a header which
doesn't match the unsigned header of the message in question?  what if a
signed message contains two sets of signed headers that conflict with
each other?  how should an MUA represent the idea that headers are
signed?  and so forth...

it also sounds like it would be relevant for other e-mail signature
standards too, since S/MIME (for example) might want the same sort of
protection.  This makes it out of scope for the current mailing list,
since it isn't OpenPGP specific.

Werner already suggested that gnupg-users(_at_)gnupg(_dot_)org might be a
reasonable place to have this more general discussion.  Maybe followup
should happen over there?



Good points and yes, I will take this discussion there.

Thanks for all the info and comments everyone!

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers, Daniel Kahn Gillmor
Next by Date:  Re: [openpgp] Fwd: New Version Notification for draft-wouters-dane-openpgp-00.txt (fwd), Andrey Jivsov
Previous by Thread:  Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers, Daniel Kahn Gillmor
Next by Thread:  [openpgp] Fwd: New Version Notification for draft-wouters-dane-openpgp-00.txt (fwd), Paul Wouters
Indexes:  [Date] [Thread] [Top] [All Lists]