dkg and I have been discussing an "Intended Recipient Fingerprint"
subpacket, that pins a signature to be valid only in an encrypted
context to the indicated recipient.
Use of this subpacket removes some wiggling room for signed+encrypted
messages. This can be used to prevent replay attacks, where a signature
is taken out of its context and forwarded to a different recipient.
Please see https://0xacab.org/schleuder/schleuder/issues/158 for a
complete description of an attack scenario in the context of the
Schleuder remailer. The given scenario is solved with this subpacket on
the openpgp layer.
Diff attached for rfc4880bis, please comment.
Description: Text Data
openpgp mailing list