No feedback on this at all? Should I maybe create a website and logo for
a surreptitious forwarding attack?
I'll add some more motivation: There is currently no way to distinguish
signatures made for plaintext messages from signatures made for encrypted
messages.
This opens up a scenario where a message is sent as signed cleartext (which many
people do by default), and only encrypted at a later point, for example by an
inbound message encryption feature. At that point, there is no way for a mail
client to tell whether this was actually an e2e encrypted message, or sent in
the clear.
As a straightforward fix, I propose an additional "sent in the clear" subpacket
that indicates when a signature was made over a message that is sent in the
clear, and wasn't intended to authenticate an encrypted message.
- V
Vincent Breitmoser(look@my.amazin.horse)@Tue, Mar 06, 2018 at 12:19:51AM +0100:
Hey folks,
dkg and I have been discussing an "Intended Recipient Fingerprint"
subpacket, that pins a signature to be valid only in an encrypted
context to the indicated recipient.
Use of this subpacket removes some wiggling room for signed+encrypted
messages. This can be used to prevent replay attacks, where a signature
is taken out of its context and forwarded to a different recipient.
Please see https://0xacab.org/schleuder/schleuder/issues/158 for a
complete description of an attack scenario in the context of the
Schleuder remailer. The given scenario is solved with this subpacket on
the openpgp layer.
Diff attached for rfc4880bis, please comment.
- V
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp