ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Intended Recipient Fingerprint signature subpacket

2018-03-05 22:09:41
On 3/5/2018 at 6:20 PM, "Vincent Breitmoser" <look@my.amazin.horse> wrote:

Hey folks,

dkg and I have been discussing an "Intended Recipient Fingerprint"
subpacket, that pins a signature to be valid only in an encrypted
context to the indicated recipient.

Use of this subpacket removes some wiggling room for 
signed+encrypted
messages.  This can be used to prevent replay attacks, where a 
signature
is taken out of its context and forwarded to a different recipient.

======

In principle, it's a good idea.

But, the attacker could still send it along as a clearsigned message, and if 
the recipient accepts the message at face value, the attack succeeds.

There is really no substitute for fixing this in the context of the message 
itself.  Anything signed, should mention the person addressed in the text of 
the message.


Example:

message [1]

=====[begin text of message to be signed and encrypted to Bob]=====

Hi Bob,

Thanks for everything!

Love,

Alice

=====[end text of message to be signed and encrypted to Bob]=====


as opposed to this,

message [2]:

=====[begin text of message to be signed and encrypted to Bob]=====

Thanks for everything!

Love,

Alice

=====[end text of message to be signed and encrypted to Bob]=====


If at some later time, Bob and Alice had a falling out, Bob could send the 
second message to John, (a not so good friend of Alice). who now thinks Alice 
'loves' him.

Bob could obviously never do this with the first message in the above example.

Again, more of an issue to be put in an advisory caution in the new rfc, rather 
than designing a new packet,  but if the new packet is easy to implement, then 
great.


vedaal

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>