Re: bis05: Armor Headers
David Shaw <dshaw@jabberwocky.com> Tue, 30 April 2002 18:07 UTC
Received: from above.proper.com (mail.imc.org [208.184.76.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA01863 for <openpgp-archive@odin.ietf.org>; Tue, 30 Apr 2002 14:07:06 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3UHstn14701 for ietf-openpgp-bks; Tue, 30 Apr 2002 10:54:55 -0700 (PDT)
Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3UHssa14697 for <ietf-openpgp@imc.org>; Tue, 30 Apr 2002 10:54:54 -0700 (PDT)
Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3UHspo02015 for ietf-openpgp@imc.org; Tue, 30 Apr 2002 13:54:51 -0400
Date: Tue, 30 Apr 2002 13:54:51 -0400
From: David Shaw <dshaw@jabberwocky.com>
To: ietf-openpgp@imc.org
Subject: Re: bis05: Armor Headers
Message-ID: <20020430175451.GA1512@akamai.com>
Mail-Followup-To: ietf-openpgp@imc.org
References: <200204301709.34240@sendmail.mutz.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <200204301709.34240@sendmail.mutz.com>
User-Agent: Mutt/1.3.26i
X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
X-URL: http://www.jabberwocky.com/
X-Phase-Of-Moon: The Moon is Waning Gibbous (84% of Full)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Tue, Apr 30, 2002 at 05:09:32PM +0200, Marc Mutz wrote: > I've looked through bis05 and I think the wording on non-US-ASCII characters > in armor headers is still too vague. > > 1. It's not only the Comment field that is affected here. IIRC, GnuPG uses > non-us-ascii characters for the version header if localized, too. > 2. An implementation allowing full UTF-8 in the Armor Headers indirectly > violates rfc3156. > > I'd really like to see that Armor Headers MUST (at least SHOULD) be > constrained to US-ASCII, except in clearsigning, where the full UTF-8 may be > used since the enclosed text is already UTF-8. > > The other way round: If exporting keys with armor or creating an armored > detached signature, all armor headers MUST be constrained to US-ASCII. I agree with Marc. I'd even go further and say for the sake of simplicity that all armor headers MUST be US-ASCII with no special case for clearsigning. This certainly does violate the nice UTF8-for-all-text policy of OpenPGP, but we're talking about *armor* here - the point is to be 7 bit clean. If we have an 8-bit transport, why use armor at all? David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3UHstn14701 for ietf-openpgp-bks; Tue, 30 Apr 2002 10:54:55 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3UHssa14697 for <ietf-openpgp@imc.org>; Tue, 30 Apr 2002 10:54:54 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3UHspo02015 for ietf-openpgp@imc.org; Tue, 30 Apr 2002 13:54:51 -0400 Date: Tue, 30 Apr 2002 13:54:51 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: bis05: Armor Headers Message-ID: <20020430175451.GA1512@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200204301709.34240@sendmail.mutz.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204301709.34240@sendmail.mutz.com> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waning Gibbous (84% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Apr 30, 2002 at 05:09:32PM +0200, Marc Mutz wrote: > I've looked through bis05 and I think the wording on non-US-ASCII characters > in armor headers is still too vague. > > 1. It's not only the Comment field that is affected here. IIRC, GnuPG uses > non-us-ascii characters for the version header if localized, too. > 2. An implementation allowing full UTF-8 in the Armor Headers indirectly > violates rfc3156. > > I'd really like to see that Armor Headers MUST (at least SHOULD) be > constrained to US-ASCII, except in clearsigning, where the full UTF-8 may be > used since the enclosed text is already UTF-8. > > The other way round: If exporting keys with armor or creating an armored > detached signature, all armor headers MUST be constrained to US-ASCII. I agree with Marc. I'd even go further and say for the sake of simplicity that all armor headers MUST be US-ASCII with no special case for clearsigning. This certainly does violate the nice UTF8-for-all-text policy of OpenPGP, but we're talking about *armor* here - the point is to be 7 bit clean. If we have an 8-bit transport, why use armor at all? David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3UHTrg14140 for ietf-openpgp-bks; Tue, 30 Apr 2002 10:29:53 -0700 (PDT) Received: from porta.u64.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3UHToa14135 for <ietf-openpgp@imc.org>; Tue, 30 Apr 2002 10:29:50 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian)) id 172cES-0005XM-00; Tue, 30 Apr 2002 20:20:08 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.33 #1 (Debian)) id 172bT2-00008p-00; Tue, 30 Apr 2002 19:31:08 +0200 To: ietf-openpgp@imc.org Subject: Re: bis05: Armor Headers References: <200204301709.34240@sendmail.mutz.com> From: Werner Koch <wk@gnupg.org> X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com X-FSFE-Motto: Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. X-FSFE-Info: http://fsfeurope.org Organisation: g10 Code GmbH Date: Tue, 30 Apr 2002 19:31:07 +0200 In-Reply-To: <200204301709.34240@sendmail.mutz.com> (Marc Mutz's message of "Tue, 30 Apr 2002 17:09:32 +0200") Message-ID: <874rhtnles.fsf@alberti.gnupg.de> Lines: 19 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 30 Apr 2002 17:09:32 +0200, Marc Mutz said: > 1. It's not only the Comment field that is affected here. IIRC, GnuPG uses > non-us-ascii characters for the version header if localized, too. This field is not anymore subject to localization. > 2. An implementation allowing full UTF-8 in the Armor Headers indirectly > violates rfc3156. An rfc3156 implementation can simply strip the armor headers - they are of no use. I don't think that this is an OpenPGP issue. If we would start to straighten the language, there are a lot more places where this would be due. Better keep it as it is and get the implementations right. Werner Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3UGBIG12175 for ietf-openpgp-bks; Tue, 30 Apr 2002 09:11:18 -0700 (PDT) Received: from mail.uni-bielefeld.de (IDENT:72@mail2.uni-bielefeld.de [129.70.4.90]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3UGBGa12170 for <ietf-openpgp@imc.org>; Tue, 30 Apr 2002 09:11:16 -0700 (PDT) Received: from dirichlet.mathematik.uni-bielefeld.de (ppp36-205.hrz.uni-bielefeld.de [129.70.36.205]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8) with ESMTP id <0GVE0098Z2ANGA@mail.uni-bielefeld.de> for ietf-openpgp@imc.org; Tue, 30 Apr 2002 18:11:16 +0200 (MET DST) Date: Tue, 30 Apr 2002 17:09:32 +0200 From: Marc Mutz <mutz@kde.org> Subject: bis05: Armor Headers To: ietf-openpgp@imc.org Message-id: <200204301709.34240@sendmail.mutz.com> Organization: KDE MIME-version: 1.0 Content-type: Text/Plain; charset=us-ascii Content-description: clearsigned data Content-disposition: inline Content-transfer-encoding: 7BIT User-Agent: KMail/1.4.5 X-PGP-Key: 0xBDBFE838 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I've looked through bis05 and I think the wording on non-US-ASCII characters in armor headers is still too vague. 1. It's not only the Comment field that is affected here. IIRC, GnuPG uses non-us-ascii characters for the version header if localized, too. 2. An implementation allowing full UTF-8 in the Armor Headers indirectly violates rfc3156. I'd really like to see that Armor Headers MUST (at least SHOULD) be constrained to US-ASCII, except in clearsigning, where the full UTF-8 may be used since the enclosed text is already UTF-8. The other way round: If exporting keys with armor or creating an armored detached signature, all armor headers MUST be constrained to US-ASCII. AFAISI, this should suffice for the rfc3156 cases. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE8zrOs3oWD+L2/6DgRAiMJAKC+QI2vB6OKGDrUfYNaCQiHidgAegCg0/+f xm4OYZyplIJvDf14SdtVL5Y= =2vJf -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3TBqDf24358 for ietf-openpgp-bks; Mon, 29 Apr 2002 04:52:13 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3TBqCa24354 for <ietf-openpgp@imc.org>; Mon, 29 Apr 2002 04:52:12 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA24701; Mon, 29 Apr 2002 07:52:10 -0400 (EDT) Message-Id: <200204291152.HAA24701@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-openpgp@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-openpgp-rfc2440bis-05.txt Date: Mon, 29 Apr 2002 07:52:10 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the An Open Specification for Pretty Good Privacy Working Group of the IETF. Title : OpenPGP Message Format Author(s) : J. Callas, L. Donnerhacke, H. Finney, R. Thayer Filename : draft-ietf-openpgp-rfc2440bis-05.txt Pages : 71 Date : 26-Apr-02 This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-05.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-openpgp-rfc2440bis-05.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-05.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20020426140756.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-05.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-openpgp-rfc2440bis-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20020426140756.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3SNvX707932 for ietf-openpgp-bks; Sun, 28 Apr 2002 16:57:33 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3SNvWa07928 for <ietf-openpgp@imc.org>; Sun, 28 Apr 2002 16:57:32 -0700 (PDT) Received: from [63.73.97.181] (63.73.97.181) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2) for <ietf-openpgp@imc.org>; Sun, 28 Apr 2002 16:57:27 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Sun, 28 Apr 2002 16:52:22 -0700 Subject: Re: Notary signatures From: Jon Callas <jon@callas.org> To: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8F1D946.26EA%jon@callas.org> In-Reply-To: <v03110718b8eefb72daca@[67.242.199.92]> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> >> Note that you still cannot change the document, because to change the >> document you would need to change the signature (unless you break the >> Hash function). If you change the signature, then the notary >> signature fails. Therefore, transitively, the notary is verifying >> the document. I actually disagree with this. The notary is putting a signature on a chunk of data. The signature means, "I saw this at time T." If that data, a signature, verifies against a document, *we* may deduce certain things about that document using the two signatures. But the notary says nothing about the integrity of the document. This is a subtle point, but one about the semantics of transitivity. If Alice says, "A -> B" and Bob says "B -> C", then I might (modulo many details) deduce that A -> C using both data from Alice and Bob. However, this is something that *I* am doing, not something Alice nor Bob is doing. Alice says nothing about C. Bob says nothing about A. I put them both together. Not Alice, not Bob. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3SEdIA25941 for ietf-openpgp-bks; Sun, 28 Apr 2002 07:39:18 -0700 (PDT) Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3SEdFa25937 for <ietf-openpgp@imc.org>; Sun, 28 Apr 2002 07:39:17 -0700 (PDT) Received: from 1cust5.tnt18.bos2.da.uu.net ([67.242.199.5]) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #2) id 171pp0-0000Y3-00; Sun, 28 Apr 2002 07:38:38 -0700 X-Sender: frantz%pwpconsult.com@pop.business.earthlink.net Message-Id: <v03110718b8eefb72daca@[67.242.199.92]> In-Reply-To: <sjmbsc7p2k8.fsf@kikki.mit.edu> References: <B8EDF522.259B%jon@callas.org> <B8EDF522.259B%jon@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 26 Apr 2002 08:46:08 -0400 To: Derek Atkins <derek@ihtfp.com>, Jon Callas <jon@callas.org> From: Bill Frantz <frantz@pwpconsult.com> Subject: Re: Notary signatures Cc: OpenPGP <ietf-openpgp@imc.org> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 11:21 PM -0400 4/25/02, Derek Atkins wrote: >Jon Callas <jon@callas.org> writes: > >> On 4/25/2002 5:54 PM, "Len Sassaman" <rabbi@quickie.net> wrote: >> >> > I'd like to be able to run a service wherein a user submits a signed >> > document, and the service signs the signature. This is done to allow for >> > verification that the signature was made prior to the timestamp provided >> > by my service (the trusted notary). >> >> Not the document, only the signature packet? I'm trying to envision what one >> would do with this mechanically, as well as syntactically and semantically. > >Yes. The notary verifies the signature, and then signs the >_signature_, not the document. This is why it's a signature on a >signature. The notary is trusted to have verified the contents before >it actually creates the new signature. The notary doesn't need to verify the original signature. Operationally, the notary doesn't need to ever see the document, only the signature on the document. This lack of "need to know" seems to me to be an advantage for confidential documents. > >Note that you still cannot change the document, because to change the >document you would need to change the signature (unless you break the >Hash function). If you change the signature, then the notary >signature fails. Therefore, transitively, the notary is verifying >the document. Which is what happens if the original signature doesn't match the document. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/CBDTPA is to | 16345 Englewood Ave. frantz@pwpconsult.com | prevent fair use. | Los Gatos, CA 95032, USA Received: by above.proper.com (8.11.6/8.11.3) id g3QKlHn17323 for ietf-openpgp-bks; Fri, 26 Apr 2002 13:47:17 -0700 (PDT) Received: from hotmail.com (oe43.law3.hotmail.com [209.185.240.211]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QKlFa17319 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 13:47:15 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 26 Apr 2002 13:47:13 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org> References: <B8EEFD1A.2644%jon@callas.org> Subject: Re: Musings on Notary signatures Date: Fri, 26 Apr 2002 16:34:51 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <OE43n00zepDI8NFr9oD00000590@hotmail.com> X-OriginalArrivalTime: 26 Apr 2002 20:47:13.0701 (UTC) FILETIME=[8B425550:01C1ED63] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> ----- Original Message ----- From: "Jon Callas" <jon@callas.org> To: "vedaal" <vedaal@hotmail.com>; "OpenPGP" <ietf-openpgp@imc.org> Sent: Friday, April 26, 2002 3:48 PM Subject: Re: Musings on Notary signatures ... > I don't see why this is a problem. Let's suppose I'm the notary and Alice > hands me a signature that she produced in 1972. I notarize it. Big deal. > It's 12:40pm on Friday, 26 April 2002. If you want to believe Alice's date, > why do you need mine? > > A savvy receiver of both signatures will decide that the correct timestamp > for the document is within epsilon of my time, not Alice's. ... It's not really a problem, but consider: Alice is a stockbroker, Bob is a day-trader, Bob needs a stock bought or sold at a certain time, which changes quickly in value throughout the day. With the notary as a simultaneous cc recipient and sender, it can add a time verification to the transaction. just a suggestion for a practical application at the user end. -vedaal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3QJmTQ16197 for ietf-openpgp-bks; Fri, 26 Apr 2002 12:48:29 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QJmSa16193 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 12:48:28 -0700 (PDT) Received: from [192.168.1.20] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2); Fri, 26 Apr 2002 12:48:25 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Fri, 26 Apr 2002 12:48:26 -0700 Subject: Re: Musings on Notary signatures From: Jon Callas <jon@callas.org> To: vedaal <vedaal@hotmail.com>, OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EEFD1A.2644%jon@callas.org> In-Reply-To: <OE67RPTNZStgLzhVOJw00000381@hotmail.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/26/2002 9:00 AM, "vedaal" <vedaal@hotmail.com> wrote: > There is still a problem with all this, in that it can verify only that the > signature was notarized at a certain time. > Nothing prevents the original signers from altering their computer clocks to > later or earlier as would suit them, > and then delay sending the signed message for notarization. I don't see why this is a problem. Let's suppose I'm the notary and Alice hands me a signature that she produced in 1972. I notarize it. Big deal. It's 12:40pm on Friday, 26 April 2002. If you want to believe Alice's date, why do you need mine? A savvy receiver of both signatures will decide that the correct timestamp for the document is within epsilon of my time, not Alice's. (And if you think my clock is wrong, then just get another notarized signature, or notarize the darn thing yourself, and use *that* timestamp.) All you have to do is assign reasonable semantics and procedures to something. The semantic meaning of a notary signature is merely, "I saw it at time T." It is a certification of sorts. It certifies not a name, but a timestamp. Apply whatever trust model you like best to that signature. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3QJKVp15611 for ietf-openpgp-bks; Fri, 26 Apr 2002 12:20:31 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QJKTa15606 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 12:20:29 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3QJIvd00788; Fri, 26 Apr 2002 15:18:57 -0400 Date: Fri, 26 Apr 2002 15:18:57 -0400 From: David Shaw <dshaw@jabberwocky.com> To: john.dlugosz@kodak.com Cc: ietf-openpgp@imc.org Subject: Re: Musings on Notary signatures Message-ID: <20020426191857.GA682@akamai.com> Mail-Followup-To: john.dlugosz@kodak.com, ietf-openpgp@imc.org References: <OFA12117D8.6B2308AD-ON86256BA7.00698626@kodak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <OFA12117D8.6B2308AD-ON86256BA7.00698626@kodak.com> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Full Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, Apr 26, 2002 at 02:17:03PM -0500, john.dlugosz@kodak.com wrote: > And, he would need a standard way to put the serial number into the > proposed 0x50 packet. Signature notation subpacket. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3QJHFD15553 for ietf-openpgp-bks; Fri, 26 Apr 2002 12:17:15 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QJH7a15548 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 12:17:07 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3QJHNK09328; Fri, 26 Apr 2002 15:17:23 -0400 (EDT) Subject: Re: Musings on Notary signatures To: dshaw@jabberwocky.com Cc: john.dlugosz@kodak.com, ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Fri, 26 Apr 2002 14:17:03 -0500 Message-ID: <OFA12117D8.6B2308AD-ON86256BA7.00698626@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/26/2002 03:17:05 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz So if I understand http://www.itconsult.co.uk/stamper/stampinf.htm, it adds another signature in parelell to existing signatures when in "pgp mode". With this new proposal, he would simply use the new sig type, with the referring field being the main message. A new service not listed there would be to verify that the existing signatures were made at the specified time, and to do that the referring field would refer to the other signature block. To do that the existing way, you would stamp your detached signature in "clear" mode, so he signs your signature record. And, he would need a standard way to put the serial number into the proposed 0x50 packet. David Shaw <dshaw@jabberwocky.com> on 04-26-2002 11:18:30 AM To: john.dlugosz@kodak.com cc: ietf-openpgp@imc.org Subject: Re: Musings on Notary signatures On Fri, Apr 26, 2002 at 10:12:57AM -0500, john.dlugosz@kodak.com wrote: > However, the above allows for another feature. The document produced by > the notary can contain other information too, to implement things from > section 4.1 of Applied Cryptography. For example, it can contain a serial > number, so someone who doesn't trust Trent's clock can find other documents > and know what order they were signed in (hmm, why would you trust Trent's > counter but not his clock?), lists of other "before" and "after" customers, > or other verification information that can be used to validate the > timestamp in other ways, without the need for a trusted notary to have > produced the timestamp signature. This is essentially what the notary service at http://www.itconsult.co.uk/stamper.htm does with serial numbers. One can use a signature notation to do the same thing with the proposed notary signature as well. As a receipient of such a message, I think I would prefer the proposed notary signature. It is in a well specified and understood machine readable format, so anyone can verify any notary signature with a minimum of fuss and/or new code. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3QGkbR11726 for ietf-openpgp-bks; Fri, 26 Apr 2002 09:46:37 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QGkaa11722 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 09:46:36 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3QGkdQ09962 for ietf-openpgp@imc.org; Fri, 26 Apr 2002 09:46:39 -0700 Date: Fri, 26 Apr 2002 09:46:39 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204261646.g3QGkdQ09962@finney.org> To: ietf-openpgp@imc.org Subject: Re: Notary signatures Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I don't think we have had to hash a signature packet before. That means that we have to canonicalize the header. Following our wonderful OpenPGP tradition, we of course have completely different canonicalization rules for key and userid packets. Here is what we do for userids: A certification signature (type 0x10 through 0x13) hashes the user id being bound to the key into the hash context after the above data. A V3 certification hashes the contents of the name packet, without any header. A V4 certification hashes the constant 0xb4 (which is an old-style packet header with the length-of-length set to zero), a four-octet number giving the length of the username, and then the username data. I suppose we want to follow the same rules as the V4 case, for signature packets. We would hash the constant 0x84 (an old-style packet header with length-of-length set to zero), a four-octet length, and then the packet contents. Since sigs-on-sigs need a target subpacket, it would not be legal to do a V3 sig on a sig. So we only need to consider the V4 case. BTW I notice we don't say here how to hash attribute packets. In the NAI PGP code we do as above except instead of the constant 0xb4 we use 0xd1, a new-style packet header for attribute packets. If the signature is a V3 certification on the attribute packet we do as with userid packets, and just hash the contents, without hashing the packet header. That was probably a mistake; since we had no need for backwards compatibility with V3 sigs on attribute packets, we should have used the V4 rules for both V3 and V4 signatures. Hal Received: by above.proper.com (8.11.6/8.11.3) id g3QGLo511104 for ietf-openpgp-bks; Fri, 26 Apr 2002 09:21:50 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QGLna11100 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 09:21:49 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3QGIUj08513; Fri, 26 Apr 2002 12:18:30 -0400 Date: Fri, 26 Apr 2002 12:18:30 -0400 From: David Shaw <dshaw@jabberwocky.com> To: john.dlugosz@kodak.com Cc: ietf-openpgp@imc.org Subject: Re: Musings on Notary signatures Message-ID: <20020426161830.GJ2602@akamai.com> Mail-Followup-To: john.dlugosz@kodak.com, ietf-openpgp@imc.org References: <OFF472CCAA.E13D54BC-ON86256BA7.00529A9F@kodak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <OFF472CCAA.E13D54BC-ON86256BA7.00529A9F@kodak.com> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (99% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, Apr 26, 2002 at 10:12:57AM -0500, john.dlugosz@kodak.com wrote: > However, the above allows for another feature. The document produced by > the notary can contain other information too, to implement things from > section 4.1 of Applied Cryptography. For example, it can contain a serial > number, so someone who doesn't trust Trent's clock can find other documents > and know what order they were signed in (hmm, why would you trust Trent's > counter but not his clock?), lists of other "before" and "after" customers, > or other verification information that can be used to validate the > timestamp in other ways, without the need for a trusted notary to have > produced the timestamp signature. This is essentially what the notary service at http://www.itconsult.co.uk/stamper.htm does with serial numbers. One can use a signature notation to do the same thing with the proposed notary signature as well. As a receipient of such a message, I think I would prefer the proposed notary signature. It is in a well specified and understood machine readable format, so anyone can verify any notary signature with a minimum of fuss and/or new code. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3QG5qw09687 for ietf-openpgp-bks; Fri, 26 Apr 2002 09:05:52 -0700 (PDT) Received: from hotmail.com (oe67.law3.hotmail.com [209.185.240.83]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QG5pa09681 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 09:05:51 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 26 Apr 2002 09:04:48 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org> References: <OFF472CCAA.E13D54BC-ON86256BA7.00529A9F@kodak.com> Subject: Re: Musings on Notary signatures Date: Fri, 26 Apr 2002 12:00:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <OE67RPTNZStgLzhVOJw00000381@hotmail.com> X-OriginalArrivalTime: 26 Apr 2002 16:04:48.0284 (UTC) FILETIME=[1700E5C0:01C1ED3C] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> ----- Original Message ----- From: <john.dlugosz@kodak.com> To: <dshaw@jabberwocky.com> Cc: <jon@callas.org>; <ietf-openpgp@imc.org> Sent: Friday, April 26, 2002 11:12 AM Subject: Musings on Notary signatures > > > From: John Dlugosz > > The normal interpretation of signing something is to agree with or assert > its content. If that's the only kind we have, we can do this: > > I sign my document. Then to prove I did so at a specific time, send the > signature (which may include the data or be detached, it matters not) to > the notary. > > The notary produces a =new= document, which states "I afferm that the blob > sent to me (length nn, SHA1=xxxxxxx) was done so at whatever time." and > signs (afferms to) that. > > A notary sig packet would do the same thing, but could be added to the file > containing the signature being signed. I beleive that is what the current > discussion has agreed on. > > However, the above allows for another feature. The document produced by > the notary can contain other information too, to implement things from > section 4.1 of Applied Cryptography. For example, it can contain a serial > number, so someone who doesn't trust Trent's clock can find other documents > and know what order they were signed in (hmm, why would you trust Trent's > counter but not his clock?), lists of other "before" and "after" customers, > or other verification information that can be used to validate the > timestamp in other ways, without the need for a trusted notary to have > produced the timestamp signature. There is still a problem with all this, in that it can verify only that the signature was notarized at a certain time. Nothing prevents the original signers from altering their computer clocks to later or earlier as would suit them, and then delay sending the signed message for notarization. A possible practical solution at the user end, might be something as follows: Alice sends Bob a document for review, with instructions that when Bob is re ady to sign it, Bob should send it signed to Alice, and cc at the same time to an agreed-upon notary, for time stamping, who would then cc it back, already notarized/timestamped to Alice and Bob. vedaal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3QFDHt06842 for ietf-openpgp-bks; Fri, 26 Apr 2002 08:13:17 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QFDCa06838 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 08:13:13 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3QFDGK27353; Fri, 26 Apr 2002 11:13:16 -0400 (EDT) Subject: Musings on Notary signatures To: dshaw@jabberwocky.com Cc: jon@callas.org, ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Fri, 26 Apr 2002 10:12:57 -0500 Message-ID: <OFF472CCAA.E13D54BC-ON86256BA7.00529A9F@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/26/2002 11:12:57 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz The normal interpretation of signing something is to agree with or assert its content. If that's the only kind we have, we can do this: I sign my document. Then to prove I did so at a specific time, send the signature (which may include the data or be detached, it matters not) to the notary. The notary produces a =new= document, which states "I afferm that the blob sent to me (length nn, SHA1=xxxxxxx) was done so at whatever time." and signs (afferms to) that. A notary sig packet would do the same thing, but could be added to the file containing the signature being signed. I beleive that is what the current discussion has agreed on. However, the above allows for another feature. The document produced by the notary can contain other information too, to implement things from section 4.1 of Applied Cryptography. For example, it can contain a serial number, so someone who doesn't trust Trent's clock can find other documents and know what order they were signed in (hmm, why would you trust Trent's counter but not his clock?), lists of other "before" and "after" customers, or other verification information that can be used to validate the timestamp in other ways, without the need for a trusted notary to have produced the timestamp signature. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3QDXfI02766 for ietf-openpgp-bks; Fri, 26 Apr 2002 06:33:41 -0700 (PDT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QDXea02758 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 06:33:40 -0700 (PDT) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA01131; Fri, 26 Apr 2002 09:33:40 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA10903; Fri, 26 Apr 2002 09:33:40 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id JAA22562; Fri, 26 Apr 2002 09:33:39 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3) id JAA19191; Fri, 26 Apr 2002 09:33:39 -0400 (EDT) To: David Shaw <dshaw@jabberwocky.com>, Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> From: Derek Atkins <derek@ihtfp.com> Subject: Re: Notary signatures References: <B8EDF522.259B%jon@callas.org> <sjmbsc7p2k8.fsf@kikki.mit.edu> <20020426041647.GA2602@akamai.com> <B8EE3424.25D4%jon@callas.org> Date: 26 Apr 2002 09:33:39 -0400 In-Reply-To: <20020426041647.GA2602@akamai.com> Message-ID: <sjmelh2h9e4.fsf@kikki.mit.edu> Lines: 36 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> David Shaw <dshaw@jabberwocky.com> writes: > This is interesting, as I had been thinking of a service that did not > verify the contents of the original document before notarizing the > signature. This service would purely be to validate the timestamp > (and other data) in the original signature, so no need to send the > original document which may be sensitive. Well, there are certainly multiple services available. You are correct that validating the signature is not a requirement. Jon Callas <jon@callas.org> writes: > I like the idea of a notary signature that only signs a signature packet. > This would mean your signer doesn't even need to see the document that's > being notarized, which has a certain panache to it. *smiles* > How about if I do this: > > * Write up a description of a notary signature. > > * Change the "revocation target" subpacket to be a "signature target" > subpacket so it can work double duty > > How's that sound? Sounds good to me. -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3QBJx628399 for ietf-openpgp-bks; Fri, 26 Apr 2002 04:19:59 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3QBJwa28393 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 04:19:58 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3QBIqh05415; Fri, 26 Apr 2002 07:18:52 -0400 Date: Fri, 26 Apr 2002 07:18:52 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures Message-ID: <20020426111852.GB2602@akamai.com> Mail-Followup-To: Jon Callas <jon@callas.org>, OpenPGP <ietf-openpgp@imc.org> References: <20020426041647.GA2602@akamai.com> <B8EE3424.25D4%jon@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <B8EE3424.25D4%jon@callas.org> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (99% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Apr 25, 2002 at 10:31:00PM -0700, Jon Callas wrote: > > I like the idea of a notary signature that only signs a signature packet. > This would mean your signer doesn't even need to see the document that's > being notarized, which has a certain panache to it. > > How about if I do this: > > * Write up a description of a notary signature. > > * Change the "revocation target" subpacket to be a "signature target" > subpacket so it can work double duty > > How's that sound? Excellent. That would work quite well for me. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3Q8fwI14538 for ietf-openpgp-bks; Fri, 26 Apr 2002 01:41:58 -0700 (PDT) Received: from porta.u64.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q8fta14534 for <ietf-openpgp@imc.org>; Fri, 26 Apr 2002 01:41:56 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian)) id 17124P-0008Nr-00; Fri, 26 Apr 2002 11:31:13 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.33 #1 (Debian)) id 1711JD-0005PE-00; Fri, 26 Apr 2002 10:42:27 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures References: <B8EE3424.25D4%jon@callas.org> From: Werner Koch <wk@gnupg.org> X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com X-FSFE-Motto: Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. X-FSFE-Info: http://fsfeurope.org Organisation: g10 Code GmbH Date: Fri, 26 Apr 2002 10:42:27 +0200 In-Reply-To: <B8EE3424.25D4%jon@callas.org> (Jon Callas's message of "Thu, 25 Apr 2002 22:31:00 -0700") Message-ID: <87it6e4zrg.fsf@alberti.gnupg.de> Lines: 17 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 25 Apr 2002 22:31:00 -0700, Jon Callas said: > I like the idea of a notary signature that only signs a signature packet. > This would mean your signer doesn't even need to see the document that's > being notarized, which has a certain panache to it. I like this. > * Change the "revocation target" subpacket to be a "signature target" > subpacket so it can work double duty Make it mandatory (SHOULD) for timestamp signatures so that already existing 0x40 signature packets can be distinguished (or ignored) from the new well defined timestamp/notary signatures. I don't think there is a reason to add a special 0x50 notary signature then. Werner Received: by above.proper.com (8.11.6/8.11.3) id g3Q6r7E28986 for ietf-openpgp-bks; Thu, 25 Apr 2002 23:53:07 -0700 (PDT) Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q6r5a28978 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 23:53:06 -0700 (PDT) Received: from localhost (rabbi@localhost) by thetis.deor.org (8.9.3/8.9.3) with ESMTP id XAA23113; Thu, 25 Apr 2002 23:53:02 -0700 Date: Thu, 25 Apr 2002 23:53:02 -0700 (PDT) From: Len Sassaman <rabbi@quickie.net> X-Sender: <rabbi@thetis.deor.org> To: Jon Callas <jon@callas.org> cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures In-Reply-To: <B8EE3424.25D4%jon@callas.org> Message-ID: <Pine.LNX.4.30.QNWS.0204252352310.22407-100000@thetis.deor.org> X-AIM: Elom777 X-icq: 10735603 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 25 Apr 2002, Jon Callas wrote: > > I like the idea of a notary signature that only signs a signature packet. > This would mean your signer doesn't even need to see the document that's > being notarized, which has a certain panache to it. > > How about if I do this: > > * Write up a description of a notary signature. > > * Change the "revocation target" subpacket to be a "signature target" > subpacket so it can work double duty > > How's that sound? Sounds great to me. Would work perfectly for what I want to do. --Len. Received: by above.proper.com (8.11.6/8.11.3) id g3Q5XBx18359 for ietf-openpgp-bks; Thu, 25 Apr 2002 22:33:11 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q5XAa18355 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 22:33:10 -0700 (PDT) Received: from [63.73.97.185] (63.73.97.185) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2) for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 22:33:14 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 22:31:00 -0700 Subject: Re: Notary signatures From: Jon Callas <jon@callas.org> To: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EE3424.25D4%jon@callas.org> In-Reply-To: <20020426041647.GA2602@akamai.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I like the idea of a notary signature that only signs a signature packet. This would mean your signer doesn't even need to see the document that's being notarized, which has a certain panache to it. How about if I do this: * Write up a description of a notary signature. * Change the "revocation target" subpacket to be a "signature target" subpacket so it can work double duty How's that sound? Jon Received: by above.proper.com (8.11.6/8.11.3) id g3Q4HIi17176 for ietf-openpgp-bks; Thu, 25 Apr 2002 21:17:18 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q4HHa17172 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 21:17:17 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3Q4GlH02759 for ietf-openpgp@imc.org; Fri, 26 Apr 2002 00:16:47 -0400 Date: Fri, 26 Apr 2002 00:16:47 -0400 From: David Shaw <dshaw@jabberwocky.com> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures Message-ID: <20020426041647.GA2602@akamai.com> Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org> References: <B8EDF522.259B%jon@callas.org> <sjmbsc7p2k8.fsf@kikki.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <sjmbsc7p2k8.fsf@kikki.mit.edu> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (99% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Apr 25, 2002 at 11:21:43PM -0400, Derek Atkins wrote: > > Jon Callas <jon@callas.org> writes: > > > On 4/25/2002 5:54 PM, "Len Sassaman" <rabbi@quickie.net> wrote: > > > > > I'd like to be able to run a service wherein a user submits a signed > > > document, and the service signs the signature. This is done to allow for > > > verification that the signature was made prior to the timestamp provided > > > by my service (the trusted notary). > > > > Not the document, only the signature packet? I'm trying to > > envision what one would do with this mechanically, as well as > > syntactically and semantically. > > Yes. The notary verifies the signature, and then signs the > _signature_, not the document. This is why it's a signature on a > signature. The notary is trusted to have verified the contents before > it actually creates the new signature. This is interesting, as I had been thinking of a service that did not verify the contents of the original document before notarizing the signature. This service would purely be to validate the timestamp (and other data) in the original signature, so no need to send the original document which may be sensitive. In notary talk (at least US notary talk), this is somewhat similar to what is called an "acknowledgement"[1] - the notary taking note that a document was signed, and affixing a seal to indicate that. Nothing in the actual document is relevant in an acknowledgement - just that it was signed and the signer requested a notary to note that fact. > Note that you still cannot change the document, because to change the > document you would need to change the signature (unless you break the > Hash function). If you change the signature, then the notary > signature fails. Therefore, transitively, the notary is verifying > the document. Yes. David [1] Not an exact match - an acknowledgement generally also has the statement that the signature was a voluntary act by the signer. I don't think there is an algorithm for that. :) -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3Q3LlL16184 for ietf-openpgp-bks; Thu, 25 Apr 2002 20:21:47 -0700 (PDT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q3Lja16180 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 20:21:45 -0700 (PDT) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA03862; Thu, 25 Apr 2002 23:21:47 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA13473; Thu, 25 Apr 2002 23:21:46 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id XAA25531; Thu, 25 Apr 2002 23:21:44 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3) id XAA17951; Thu, 25 Apr 2002 23:21:44 -0400 (EDT) To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> From: Derek Atkins <derek@ihtfp.com> Subject: Re: Notary signatures References: <B8EDF522.259B%jon@callas.org> Date: 25 Apr 2002 23:21:43 -0400 In-Reply-To: <B8EDF522.259B%jon@callas.org> Message-ID: <sjmbsc7p2k8.fsf@kikki.mit.edu> Lines: 33 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas <jon@callas.org> writes: > On 4/25/2002 5:54 PM, "Len Sassaman" <rabbi@quickie.net> wrote: > > > I'd like to be able to run a service wherein a user submits a signed > > document, and the service signs the signature. This is done to allow for > > verification that the signature was made prior to the timestamp provided > > by my service (the trusted notary). > > Not the document, only the signature packet? I'm trying to envision what one > would do with this mechanically, as well as syntactically and semantically. Yes. The notary verifies the signature, and then signs the _signature_, not the document. This is why it's a signature on a signature. The notary is trusted to have verified the contents before it actually creates the new signature. Note that you still cannot change the document, because to change the document you would need to change the signature (unless you break the Hash function). If you change the signature, then the notary signature fails. Therefore, transitively, the notary is verifying the document. At least, this was the theory we had when wrtiing 1991. > Jon -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: by above.proper.com (8.11.6/8.11.3) id g3Q28ab14631 for ietf-openpgp-bks; Thu, 25 Apr 2002 19:08:36 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q28Za14625 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 19:08:35 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3Q23Ex01767; Thu, 25 Apr 2002 22:03:14 -0400 Date: Thu, 25 Apr 2002 22:03:14 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Hal Finney <hal@finney.org> Cc: jon@callas.org, ietf-openpgp@imc.org Subject: Re: Notary signatures Message-ID: <20020426020314.GC1004@akamai.com> Mail-Followup-To: Hal Finney <hal@finney.org>, jon@callas.org, ietf-openpgp@imc.org References: <200204260127.g3Q1RdG04901@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204260127.g3Q1RdG04901@finney.org> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (98% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Apr 25, 2002 at 06:27:39PM -0700, Hal Finney wrote: > If you're going to do a notary signature, you'd probably need something > like that "target signature" subpacket we talked about for revocation > signatures, right? Yes, I was thinking that as well. The subpacket would be useful for those cases when the intended target was not obvious from the context. It would need a different name than "revocation target", though :) David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3Q1tHa14470 for ietf-openpgp-bks; Thu, 25 Apr 2002 18:55:17 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q1tFa14466 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:55:15 -0700 (PDT) Received: from [63.73.97.185] (63.73.97.185) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2); Thu, 25 Apr 2002 18:55:19 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 18:55:19 -0700 Subject: Re: Timestamp Signatures (was Re: Notary signatures) From: Jon Callas <jon@callas.org> To: David Shaw <dshaw@jabberwocky.com> CC: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EE0197.25B2%jon@callas.org> In-Reply-To: <20020426011853.GB1004@akamai.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/25/2002 6:18 PM, "David Shaw" <dshaw@jabberwocky.com> wrote: > A regular 0x00 or 0x01 signature has no defined meaning, so it can > therefore mean anything the signer and recepient agree on it to mean. Or what a litigant can convince a judge or jury that any reasonable person would have thought it to mean. That's the downside of no defined meaning in a world where there are laws about what signatures mean. > The 0x40 is just like these signatures except that it is has the > defined meaning of "timestamp". ? Ok, I get it. I imagine this is > something that if done today would be done with a signature notation. > > Is it possible to get some language in the draft saying what an 0x40 > signature is issued on (binary or canonical text data)? All signatures are on binary content. A text-mode signature is on binary content that conforms to some rules. Or so I think. :-) Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3Q1mME14342 for ietf-openpgp-bks; Thu, 25 Apr 2002 18:48:22 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q1mLa14338 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:48:21 -0700 (PDT) Received: from [63.73.97.185] (63.73.97.185) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2); Thu, 25 Apr 2002 18:48:24 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 18:48:24 -0700 Subject: Re: Notary signatures From: Jon Callas <jon@callas.org> To: Hal Finney <hal@finney.org>, <dshaw@jabberwocky.com> CC: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EDFFF8.25AF%jon@callas.org> In-Reply-To: <200204260127.g3Q1RdG04901@finney.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/25/2002 6:27 PM, "Hal Finney" <hal@finney.org> wrote: > > If you're going to do a notary signature, you'd probably need something > like that "target signature" subpacket we talked about for revocation > signatures, right? The target subpacket is in the draft that is presently on the editor's desk. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3Q1RmE14082 for ietf-openpgp-bks; Thu, 25 Apr 2002 18:27:48 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q1Rka14075 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:27:46 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3Q1RdG04901; Thu, 25 Apr 2002 18:27:39 -0700 Date: Thu, 25 Apr 2002 18:27:39 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204260127.g3Q1RdG04901@finney.org> To: dshaw@jabberwocky.com, jon@callas.org Subject: Re: Notary signatures Cc: ietf-openpgp@imc.org Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> If you're going to do a notary signature, you'd probably need something like that "target signature" subpacket we talked about for revocation signatures, right? Hal Received: by above.proper.com (8.11.6/8.11.3) id g3Q1J5g13811 for ietf-openpgp-bks; Thu, 25 Apr 2002 18:19:05 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q1J4a13807 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:19:04 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3Q1IrT01410; Thu, 25 Apr 2002 21:18:53 -0400 Date: Thu, 25 Apr 2002 21:18:53 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Timestamp Signatures (was Re: Notary signatures) Message-ID: <20020426011853.GB1004@akamai.com> Mail-Followup-To: Jon Callas <jon@callas.org>, OpenPGP <ietf-openpgp@imc.org> References: <20020426000527.GA662@akamai.com> <B8EDF44B.2597%jon@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <B8EDF44B.2597%jon@callas.org> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (98% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Apr 25, 2002 at 05:58:35PM -0700, Jon Callas wrote: > Here's what I believe timestamp signatures are for -- > > The hard problem in digital signatures is knowing what they mean. The > semantic content of the signature. Lots of ink has been spilled on this. > > The 0x40 timestamp signature is a semantic notation. What it says is "I saw > this blob of data at time T. I know nothing more nor assert nothing other > than I saw it at that time." > > It is thus a way for an entity to do nothing but -- well, timestamp it. A regular 0x00 or 0x01 signature has no defined meaning, so it can therefore mean anything the signer and recepient agree on it to mean. The 0x40 is just like these signatures except that it is has the defined meaning of "timestamp". ? Ok, I get it. I imagine this is something that if done today would be done with a signature notation. Is it possible to get some language in the draft saying what an 0x40 signature is issued on (binary or canonical text data)? David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3Q193913560 for ietf-openpgp-bks; Thu, 25 Apr 2002 18:09:03 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q192a13556 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:09:02 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3Q18o301348; Thu, 25 Apr 2002 21:08:50 -0400 Date: Thu, 25 Apr 2002 21:08:50 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures Message-ID: <20020426010850.GA1004@akamai.com> Mail-Followup-To: Jon Callas <jon@callas.org>, OpenPGP <ietf-openpgp@imc.org> References: <20020426000527.GA662@akamai.com> <B8EDED09.258F%jon@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <B8EDED09.258F%jon@callas.org> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (98% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Apr 25, 2002 at 05:27:37PM -0700, Jon Callas wrote: > So -- what are you going to do with them? Why do you need it? I'd like to > move towards getting a new RFC soon, so explain what you want, and lets get > a rough consensus of the group that it's a good idea. If we get that, I'll > put it in. Well, I'll let Len speak for what he is planning, but for me, it's come up a number of times in the context of timestamping services. There is no way to really trust the timestamp in a signature since the maker of the signature can use whatever timestamp that suits them. A notary service can "guarantee" that signature by signing the signature, and multiple independent notary services can be used to add even more assurance that there is no collusion. I have heard that this was the intended use of the old notary signature. Using a different type (0x50 is fine) for this is not strictly required, but would be very useful on the validation side to know that when you come across such a packet you are going to be looking for another signature to check against it. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3Q12Aq13498 for ietf-openpgp-bks; Thu, 25 Apr 2002 18:02:10 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q129a13494 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:02:09 -0700 (PDT) Received: from [192.168.1.23] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2) for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 18:02:12 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 18:02:10 -0700 Subject: Re: Notary signatures From: Jon Callas <jon@callas.org> To: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EDF522.259B%jon@callas.org> In-Reply-To: <Pine.LNX.4.30.QNWS.0204251752220.8815-100000@thetis.deor.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/25/2002 5:54 PM, "Len Sassaman" <rabbi@quickie.net> wrote: > I'd like to be able to run a service wherein a user submits a signed > document, and the service signs the signature. This is done to allow for > verification that the signature was made prior to the timestamp provided > by my service (the trusted notary). Not the document, only the signature packet? I'm trying to envision what one would do with this mechanically, as well as syntactically and semantically. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3Q0wb613431 for ietf-openpgp-bks; Thu, 25 Apr 2002 17:58:37 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q0waa13427 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 17:58:36 -0700 (PDT) Received: from [192.168.1.23] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2); Thu, 25 Apr 2002 17:58:38 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 17:58:35 -0700 Subject: Timestamp Signatures (was Re: Notary signatures) From: Jon Callas <jon@callas.org> To: David Shaw <dshaw@jabberwocky.com> CC: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EDF44B.2597%jon@callas.org> In-Reply-To: <20020426000527.GA662@akamai.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Here's what I believe timestamp signatures are for -- The hard problem in digital signatures is knowing what they mean. The semantic content of the signature. Lots of ink has been spilled on this. The 0x40 timestamp signature is a semantic notation. What it says is "I saw this blob of data at time T. I know nothing more nor assert nothing other than I saw it at that time." It is thus a way for an entity to do nothing but -- well, timestamp it. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3Q0sOL13359 for ietf-openpgp-bks; Thu, 25 Apr 2002 17:54:24 -0700 (PDT) Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q0sMa13352 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 17:54:22 -0700 (PDT) Received: from localhost (rabbi@localhost) by thetis.deor.org (8.9.3/8.9.3) with ESMTP id RAA08914; Thu, 25 Apr 2002 17:54:21 -0700 Date: Thu, 25 Apr 2002 17:54:21 -0700 (PDT) From: Len Sassaman <rabbi@quickie.net> X-Sender: <rabbi@thetis.deor.org> To: Jon Callas <jon@callas.org> cc: David Shaw <dshaw@jabberwocky.com>, OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures In-Reply-To: <B8EDED09.258F%jon@callas.org> Message-ID: <Pine.LNX.4.30.QNWS.0204251752220.8815-100000@thetis.deor.org> X-AIM: Elom777 X-icq: 10735603 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 25 Apr 2002, Jon Callas wrote: > So -- what are you going to do with them? Why do you need it? I'd like to > move towards getting a new RFC soon, so explain what you want, and lets get > a rough consensus of the group that it's a good idea. If we get that, I'll > put it in. I'd like to be able to run a service wherein a user submits a signed document, and the service signs the signature. This is done to allow for verification that the signature was made prior to the timestamp provided by my service (the trusted notary). --Len. Received: by above.proper.com (8.11.6/8.11.3) id g3Q0Xrd13080 for ietf-openpgp-bks; Thu, 25 Apr 2002 17:33:53 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q0Xqa13076 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 17:33:52 -0700 (PDT) Received: from [192.168.1.23] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2); Thu, 25 Apr 2002 17:33:46 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 17:27:37 -0700 Subject: Re: Notary signatures From: Jon Callas <jon@callas.org> To: David Shaw <dshaw@jabberwocky.com> CC: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EDED09.258F%jon@callas.org> In-Reply-To: <20020426000527.GA662@akamai.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/25/2002 5:05 PM, "David Shaw" <dshaw@jabberwocky.com> wrote: > As I see it, all signatures can have a timestamp, so really any of > them is usable for a timestamp signature. I'm not sure how 0x40 > differs here, as it doesn't seem clear what 0x40 is a signature on. > If it is on binary data, then we have a type for that already. If it > is on textual data, we have a type for that as well. We even have a > type for a standalone signature-on-nothing "token". > > A notary signature does not have to be class 0x40, but since 0x40 was > intended for this in the past, and (as far as I can see) does not > serve a purpose that other signature types cannot already provide, why > not make it 0x40? 0x40 was added in as a timestamp signature after the unused types were all removed. As I remember, Lutz Donnerhacke was going to be using it, and I think other people are as well. I'm not going to overload timestamps with notary signatures. That's a bad idea. If we decide to put notary signatures back in, they'll get a new number. RFC 1991 was only ever informational, and is dead as far as we're concerned. (And no one ever implemented that.) 0x50 is a fine number. So -- what are you going to do with them? Why do you need it? I'd like to move towards getting a new RFC soon, so explain what you want, and lets get a rough consensus of the group that it's a good idea. If we get that, I'll put it in. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3Q05VD12672 for ietf-openpgp-bks; Thu, 25 Apr 2002 17:05:31 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3Q05Ua12668 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 17:05:30 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3Q05RV00885; Thu, 25 Apr 2002 20:05:27 -0400 Date: Thu, 25 Apr 2002 20:05:27 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Notary signatures Message-ID: <20020426000527.GA662@akamai.com> Mail-Followup-To: Jon Callas <jon@callas.org>, OpenPGP <ietf-openpgp@imc.org> References: <20020425220704.GE7537@akamai.com> <B8EDE42A.2585%jon@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <B8EDE42A.2585%jon@callas.org> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (98% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Apr 25, 2002 at 04:49:46PM -0700, Jon Callas wrote: > On 4/25/2002 3:07 PM, "David Shaw" <dshaw@jabberwocky.com> wrote: > > > RFC-1991 defined sigclass 0x40 as a timestamp, and went on to further > > explain its intended use ("Type <40> is intended to be a signature of > > a signature, as a notary seal on a signed document.") > > > > When RFC-2440 came out, this extra explanation seems to have been > > lost, as 2440 defines 0x40 only as a timestamp. A sigclass for a > > signature on a signature would be very useful. Any chance to restore > > this clarification in the next draft? > > It wasn't so much that it was lost, but that it was actively removed. > > Only the document and certification signatures were ever implemented before > 2440 came out. At one time, we removed all the definitions to simplify. Then > they gradually crept back in. 0x40 became a timestamp because there were > people who wanted to use it. > > I may be wrong on this, but would it be better to introduce a new type if > you want to do notaries? Or do this with a notation? As I see it, all signatures can have a timestamp, so really any of them is usable for a timestamp signature. I'm not sure how 0x40 differs here, as it doesn't seem clear what 0x40 is a signature on. If it is on binary data, then we have a type for that already. If it is on textual data, we have a type for that as well. We even have a type for a standalone signature-on-nothing "token". A notary signature does not have to be class 0x40, but since 0x40 was intended for this in the past, and (as far as I can see) does not serve a purpose that other signature types cannot already provide, why not make it 0x40? David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3PNnmS12493 for ietf-openpgp-bks; Thu, 25 Apr 2002 16:49:48 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3PNnla12489 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 16:49:47 -0700 (PDT) Received: from [192.168.1.23] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2); Thu, 25 Apr 2002 16:49:41 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 16:49:46 -0700 Subject: Re: Notary signatures From: Jon Callas <jon@callas.org> To: David Shaw <dshaw@jabberwocky.com>, OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EDE42A.2585%jon@callas.org> In-Reply-To: <20020425220704.GE7537@akamai.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/25/2002 3:07 PM, "David Shaw" <dshaw@jabberwocky.com> wrote: > RFC-1991 defined sigclass 0x40 as a timestamp, and went on to further > explain its intended use ("Type <40> is intended to be a signature of > a signature, as a notary seal on a signed document.") > > When RFC-2440 came out, this extra explanation seems to have been > lost, as 2440 defines 0x40 only as a timestamp. A sigclass for a > signature on a signature would be very useful. Any chance to restore > this clarification in the next draft? It wasn't so much that it was lost, but that it was actively removed. Only the document and certification signatures were ever implemented before 2440 came out. At one time, we removed all the definitions to simplify. Then they gradually crept back in. 0x40 became a timestamp because there were people who wanted to use it. I may be wrong on this, but would it be better to introduce a new type if you want to do notaries? Or do this with a notation? Jon Received: by above.proper.com (8.11.6/8.11.3) id g3PNM2d11887 for ietf-openpgp-bks; Thu, 25 Apr 2002 16:22:02 -0700 (PDT) Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3PNM0a11880 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 16:22:00 -0700 (PDT) Received: from localhost (rabbi@localhost) by thetis.deor.org (8.9.3/8.9.3) with ESMTP id QAA05704; Thu, 25 Apr 2002 16:22:00 -0700 Date: Thu, 25 Apr 2002 16:22:00 -0700 (PDT) From: Len Sassaman <rabbi@quickie.net> X-Sender: <rabbi@thetis.deor.org> To: David Shaw <dshaw@jabberwocky.com> cc: <ietf-openpgp@imc.org> Subject: Re: Notary signatures In-Reply-To: <20020425220704.GE7537@akamai.com> Message-ID: <Pine.LNX.4.30.QNWS.0204251620010.5584-100000@thetis.deor.org> X-AIM: Elom777 X-icq: 10735603 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 25 Apr 2002, David Shaw wrote: > RFC-1991 defined sigclass 0x40 as a timestamp, and went on to further > explain its intended use ("Type <40> is intended to be a signature of > a signature, as a notary seal on a signed document.") > > When RFC-2440 came out, this extra explanation seems to have been > lost, as 2440 defines 0x40 only as a timestamp. A sigclass for a > signature on a signature would be very useful. Any chance to restore > this clarification in the next draft? Yes, please. I plan to use this in a project in the not-so-distant future. I know there are a few timestamping services for OpenPGP in operation already -- are any of them using this now? --Len. Received: by above.proper.com (8.11.6/8.11.3) id g3PM7Km09912 for ietf-openpgp-bks; Thu, 25 Apr 2002 15:07:20 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3PM7Ha09908 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 15:07:17 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3PM74j09864 for ietf-openpgp@imc.org; Thu, 25 Apr 2002 18:07:04 -0400 Date: Thu, 25 Apr 2002 18:07:04 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Notary signatures Message-ID: <20020425220704.GE7537@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Gibbous (97% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> RFC-1991 defined sigclass 0x40 as a timestamp, and went on to further explain its intended use ("Type <40> is intended to be a signature of a signature, as a notary seal on a signed document.") When RFC-2440 came out, this extra explanation seems to have been lost, as 2440 defines 0x40 only as a timestamp. A sigclass for a signature on a signature would be very useful. Any chance to restore this clarification in the next draft? David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3PLUju09322 for ietf-openpgp-bks; Thu, 25 Apr 2002 14:30:45 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3PLUia09318 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 14:30:44 -0700 (PDT) Received: from [192.168.1.23] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.2) for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 14:30:38 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 25 Apr 2002 14:30:44 -0700 Subject: New Draft Gone Out From: Jon Callas <jon@callas.org> To: OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EDC394.255F%jon@callas.org> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I send another draft out. It should have all comments reflected in it. If I missed something, let me know. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3PJVxr06626 for ietf-openpgp-bks; Thu, 25 Apr 2002 12:31:59 -0700 (PDT) Received: from guk1d002.glueckkanja.org ([62.8.243.3]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3PJVva06622 for <ietf-openpgp@imc.org>; Thu, 25 Apr 2002 12:31:58 -0700 (PDT) X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: non-transferable sigs with hashes and encryption only (Re: Recipient-verifiable messages) Date: Thu, 25 Apr 2002 21:31:40 +0200 Message-ID: <2F89C141B5B67645BB56C038537578821B5844@guk1d002.glueckkanja.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: non-transferable sigs with hashes and encryption only (Re: Recipient-verifiable messages) Thread-Index: AcHnUoYOrLYxk6K3QoSA2qTQsI0NAwFPKakA From: "Dominikus Scherkl" <Dominikus.Scherkl@glueckkanja.com> To: <ietf-openpgp@imc.org> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3PJVxa06623 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi. > The one other point I see is that as the number of recipients increases, > then a priori it becomes less likely that so many people would all > collude to forge a message from Alice. So although you have security > in principle, the deniability becomes a little more questionable in > practice when the number of recipients is large. Of course this is so - like if you tell several people a "secret" and later want do dement it was you who straied this rumor... -- Dominikus Scherkl dominikusscherkl@glueckkanja.com Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3NMjPN16784 for ietf-openpgp-bks; Tue, 23 Apr 2002 15:45:25 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3NMjEa16779 for <ietf-openpgp@imc.org>; Tue, 23 Apr 2002 15:45:14 -0700 (PDT) Received: from [192.168.1.23] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Tue, 23 Apr 2002 15:45:10 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Tue, 23 Apr 2002 15:39:11 -0700 Subject: Re: Revocation target subpacket (Re: What's left before a new RFC?) From: Jon Callas <jon@callas.org> To: Michael Young <mwy-opgp97@the-youngs.org>, OpenPGP <ietf-openpgp@imc.org> Message-ID: <B8EB309F.23A3%jon@callas.org> In-Reply-To: <00d501c1e66e$e3deb920$ebc42609@transarc.ibm.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/17/2002 5:20 PM, "Michael Young" <mwy-opgp97@the-youngs.org> wrote: > I still desire a "revocation target" subpacket to identify the > specific signature being revoked... In the immortal words of Rod Serling, submitted for your approval: .head 4 Revocation Target .block blank (1 octet PK algorithm, 1 octet hash algorithm, N octets hash) This subpacket identifies a specific target signature that a revocation signature revokes. This provides explicit designation of a revocation. All arguments are an identifier of that signature. The N octets of hash data MUST be the size of the hash of the signature. For example, a target signature with a SHA-1 hash MUST have 20 octets of hash data. Received: by above.proper.com (8.11.6/8.11.3) id g3K7vWb23324 for ietf-openpgp-bks; Sat, 20 Apr 2002 00:57:32 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3K7vUb23318 for <ietf-openpgp@imc.org>; Sat, 20 Apr 2002 00:57:30 -0700 (PDT) Received: from [63.73.97.183] (63.73.97.183) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Sat, 20 Apr 2002 00:57:24 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Sat, 20 Apr 2002 00:53:50 -0700 Subject: Re: What's left before a new RFC? From: Jon Callas <jon@callas.org> To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, <ietf-openpgp@imc.org> Message-ID: <B8E66C9E.1396%jon@callas.org> In-Reply-To: <87662mq32t.fsf@CERT.Uni-Stuttgart.DE> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/19/2002 11:47 PM, "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE> wrote: > 3.2 is lacking a hint to implementors that the bit count feild for > encrypted MPIs reflects the number of bits in the decrypted MPI (IOW, > encrypted MPIs might not be well-formed as required by 3.2). > Thank you. I wrote as the last paragraph of 3.2: Also note that when an MPI is encrypted, the length refers to the plaintext MPI. It may be ill-formed in its ciphertext. > There's a formatting error in the second table of section 5.2.3.16. Thanks. David Shaw also pointed that one out and it's fixed. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3K6llg13929 for ietf-openpgp-bks; Fri, 19 Apr 2002 23:47:47 -0700 (PDT) Received: from Mail.CERT.Uni-Stuttgart.DE (mail.cert.uni-stuttgart.de [129.69.16.17]) by above.proper.com (8.11.6/8.11.3) with SMTP id g3K6ljb13925 for <ietf-openpgp@imc.org>; Fri, 19 Apr 2002 23:47:46 -0700 (PDT) Received: (qmail 27895 invoked by uid 1000); 20 Apr 2002 06:47:06 -0000 To: ietf-openpgp@imc.org Subject: Re: What's left before a new RFC? References: <p05101585b8e3abe7a80e@[192.168.1.97]> From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> Date: Sat, 20 Apr 2002 08:47:06 +0200 In-Reply-To: <p05101585b8e3abe7a80e@[192.168.1.97]> (Jon Callas's message of "Wed, 17 Apr 2002 15:54:01 -0700") Message-ID: <87662mq32t.fsf@CERT.Uni-Stuttgart.DE> Lines: 15 User-Agent: Gnus/5.090005 (Oort Gnus v0.05) Emacs/21.1 (i686-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas <jon@callas.org> writes: > I know of no other desired changes. I would like bis-05 to be Penultimate > Call. Does anyone object? 3.2 is lacking a hint to implementors that the bit count feild for encrypted MPIs reflects the number of bits in the decrypted MPI (IOW, encrypted MPIs might not be well-formed as required by 3.2). There's a formatting error in the second table of section 5.2.3.16. -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.11.6/8.11.3) id g3J4SV925671 for ietf-openpgp-bks; Thu, 18 Apr 2002 21:28:31 -0700 (PDT) Received: from mail.cablespeed.com (mail.cablespeed.com [216.45.96.99]) by above.proper.com (8.11.6/8.11.3) with SMTP id g3J4STb25666 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 21:28:29 -0700 (PDT) Received: (qmail 996 invoked by uid 0); 19 Apr 2002 04:28:26 -0000 Received: from unknown (HELO koma.kadrevis.com) (64.255.219.59) by mail.cablespeed.com with SMTP; 19 Apr 2002 04:28:26 -0000 Date: Thu, 18 Apr 2002 21:28:25 -0700 Subject: Re: bis04 Content-Type: text/plain; charset=WINDOWS-1252; format=flowed Mime-Version: 1.0 (Apple Message framework v481) From: Paul Holman <pablos@metasecura.com> To: ietf-openpgp@imc.org In-Reply-To: <20020416071637.GL17287@yoda.does-not-exist.org> Message-Id: <E437DEAE-534D-11D6-9992-003065F58F88@metasecura.com> X-Mailer: Apple Mail (2.481) Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3J4SUb25667 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Just confirmation, I finally performed this test, and my experience mirrors Jon's. I use Mail.app on MacOS X which I suppose is uncommonly, multilinguistically savvy, it displayed all the characters correctly. GnuPG and the associated plugin handled the signature fine. pablos. On Tuesday, April 16, 2002, at 12:16 AM, Thomas Roessler wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 2002-04-15 17:38:13 -0700, Jon Callas wrote: > >> The reason I dropped it is because some implementers claim that >> base OpenPGP with armoring is deprecated. This is *not* the case. > > With all due respect, OpenPGP with armoring gets you into all kinds > of hell as soon as you want to sign more than just us-ascii text, > and as soon as you want to verify the signature on a system > different from the one the signature was created on. This is, in > particular, the case when users have to feed PGP with a recoded > version of the message. Such recoding may be necessary in order to > properly display the message to you. > > Here's a test - this message is encoded in utf-8, it's clearsigned, > and here is a number of special characters: ä ö ü æ ç > > Using widespread Windows software, can you find a messaging program > which (1) verifies the signature AND (2) correctly displays the > special characters (Euro symbol, a-umlaut, o-umlaut, u-umlaut, ae > ligature, c-cedilla)? Please tell us. > >> If you can come up with wording that says MIME is great, but so is >> armoring, send it and I'll look at it. > > How about this? > > Note: A specification for using MIME to encapsulate OpenPGP > signed or encrypted messages, and for signing and encrypting > complex MIME objects with OpenPGP, can be found in RFC 3156. > > I'll send a separate message with somewhat more on the character > set issues later today. > > - -- > Thomas Roessler <roessler@does-not-exist.org> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > > iQEVAwUBPLvP1dImKUTOasbBAQKr6wgAwHjiE9UzYcSvhQjmFyj4Fq34S54UmOKR > RrF70Ecuofy77GrLapkqybhMdKlxobrncoTVE3QLnXwhvaaHD+9JIycUeu07h2nI > ce1KBZei1CJDq0J8LY81lLAIcrOQFtkporpBKITqNdaN/AUTKOfTD+5pT+D8PWq7 > EaAP8ZXyvr4Ydswx1u1cPNM5Y79bZCsmnpaJuwqPSM8XMo6+x8FFS6lKtiZuVazP > eoKcE1PF+UU4/hEh/FB3ypivgmykwSIAOJmSaztZr/Rrf8OWaUxodZTL6Y1lz0aJ > FoOmlZDEsiUcvw2VOA+Nh5sM+Fc+EcSVm1SGNrQs1V70ZbZJK5yqZw== > =LZ1m > -----END PGP SIGNATURE----- > Received: by above.proper.com (8.11.6/8.11.3) id g3J3CDd23696 for ietf-openpgp-bks; Thu, 18 Apr 2002 20:12:13 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3J3C2b23663 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 20:12:04 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3J32S003377; Thu, 18 Apr 2002 20:02:28 -0700 Date: Thu, 18 Apr 2002 20:02:28 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204190302.g3J32S003377@finney.org> To: adam@cypherspace.org, hal@finney.org Subject: Re: non-transferable sigs with hashes and encryption only (Re: Recipient-verifiable messages) Cc: ietf-openpgp@imc.org Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Adam Back writes: > On the simple hash/encrypt approach, I think this should work: > > Alice sending non-transferably signed message to Bob and Charlie: > > Encrypt_Bob(K_B), Encrypt( K_B, Sign_Alice(K_B||Bob), H(msg) ), > Encrypt_Charlie(K_C), Encrypt( K_C, Sign_Alice(K_C||Charlie), H(msg) ), > msg I see, that makes sense. It's similar in flavor to the suggestion I made last night, to do separate MACs on the msg using K_B and K_C. Then I was having Alice sign the Bob- and Charlie-encrypted key blocks, rather than the MAC and public key values directly, which probably amounts to much the same thing. Here's where proofs of security would be really nice, to see if any of these constructions have subtle problems, or if one is superior to the others. The one other point I see is that as the number of recipients increases, then a priori it becomes less likely that so many people would all collude to forge a message from Alice. So although you have security in principle, the deniability becomes a little more questionable in practice when the number of recipients is large. Hal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3J2Jt320997 for ietf-openpgp-bks; Thu, 18 Apr 2002 19:19:55 -0700 (PDT) Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3J2Jr720993 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 19:19:54 -0700 (PDT) Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 16yO1x-00BAe4-00; Fri, 19 Apr 2002 03:21:45 +0100 Date: Fri, 19 Apr 2002 03:19:45 +0100 From: Adam Back <adam@cypherspace.org> To: Hal Finney <hal@finney.org> Cc: ietf-openpgp@imc.org Subject: non-transferable sigs with hashes and encryption only (Re: Recipient-verifiable messages) Message-ID: <20020419031945.A1943753@exeter.ac.uk> References: <200204180158.g3I1wK729577@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <200204180158.g3I1wK729577@finney.org>; from hal@finney.org on Wed, Apr 17, 2002 at 06:58:20PM -0700 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hal Finney wrote: > > The approach generalises to multiple recipient's: either hash in all > > of the recipient public keys, or include signatures for each recipient > > -- the latter is probably preferable as then the recipient doesn't > > need all the other recipient's public keys to verify. > > I don't think that works for multiple recipients, because any recipient > can recover K, alter the msg, and re-create an apparently valid message > that would be accepted by other recipients. Alice's signature is only > on K and public keys so that part doesn't change when the msg does. You're right. That doesn't work. See below... On Wed, Apr 17, 2002 at 06:58:20PM -0700, Hal Finney wrote: > [...] > > This concept can be applied pretty straightforwardly to the mathematical > key-combining technique, I think (I figured out how to do it once) but > I don't see how to use the simple hash/encrypt trick to accomplish this. On the simple hash/encrypt approach, I think this should work: Alice sending non-transferably signed message to Bob and Charlie: Encrypt_Bob(K_B), Encrypt( K_B, Sign_Alice(K_B||Bob), H(msg) ), Encrypt_Charlie(K_C), Encrypt( K_C, Sign_Alice(K_C||Charlie), H(msg) ), msg the message could optionally be encrypted using standard multiple recipient technique (just include common key K): Encrypt_Bob(K_B,K), Encrypt( K_B, Sign_Alice(K_B||Bob), H(msg) ), Encrypt_Charlie(K_C,K), Encrypt( K_C, Sign_Alice(K_C||Charlie), H(msg) ), Encrypt( K, msg ) The Encrypt() function should include MDC in both uses. Bob can't transfer signatures as all he has is a signature that he received a message from Alice and a random key. He could forge any message to himself with that information. Similarly Bob and Charlie collaborating also can not transfer signatures from Alice as they can collaboratively forge any message to themselves. As long as K_B is kept secret Bob is sure Alice sent him the message, but can't convince anyone else of this fact. Bob can't forge a message from Alice to Charlie with the information he sees as he doesn't see Sign_Alice(K_C||Charlie), and can't transform Sign_Alice(K_B||Bob) into that, and he doesn't know KC so he can't decrypt to find out, nor can he modify the encryption because of the MDC also keyed via K_C. Adam -- http://www.cypherspace.org/adam/ Received: by above.proper.com (8.11.6/8.11.3) id g3IKNfA06592 for ietf-openpgp-bks; Thu, 18 Apr 2002 13:23:41 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IKNd706587 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 13:23:39 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3IKNJJ23313; Thu, 18 Apr 2002 16:23:19 -0400 (EDT) Subject: Re: Clearsigning, MIME, etc. To: mutz@kde.org Cc: john.dlugosz@kodak.com, roessler@does-not-exist.org, ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Thu, 18 Apr 2002 15:23:10 -0500 Message-ID: <OF7CA51296.7D148F03-ON86256B9F.006D7E33@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/18/2002 04:23:02 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz That is the official IANA name. See http://www.iana.org/assignments/character-sets . A while back, when looking for the official name, that's the only one I could find! Now, I see that windows-1252 is listed also. They don't show date of listing, but if the MIBenum is incremented each time, it's clearly a recient addition. iso-8859-1 is also listed, and it's a subset. Windows started with that and added glyphs in the C1 control area. Marc Mutz <mutz@kde.org> on 04-18-2002 12:35:21 PM To: john.dlugosz@kodak.com, roessler@does-not-exist.org cc: ietf-openpgp@imc.org Subject: Re: Clearsigning, MIME, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 18 April 2002 18:31, john.dlugosz@kodak.com wrote: <snip> > Use a header inside the PGP envelope to note the message's character set. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA2 > Charset: ISO-8859-1-Windows-3.1-Latin-1 > > Message starts here... > Now how many people are going to use the correct official name, when it's > such a jawbreaker? Look at the charset declaration in web pages, and very > few get it right. So, better make that clear. <snip> Which charset should this be? The official, preferred mime-name is "iso-8859-1", and nothing else should be used, though the recveiver should understand other common names. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vwPZ3oWD+L2/6DgRAtzUAJ9ldFWxGPh0iM8/CmXShXTpcTGEfACg/jbQ 166yx32jHn7nHrjD5tm82qI= =G0bO -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3IJoal05215 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:50:36 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJoZ705211 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:50:35 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3IJokJ11529; Thu, 18 Apr 2002 15:50:46 -0400 (EDT) Subject: Re: What's left before a new RFC? To: mutz@kde.org Cc: marcel@news.m.wanda.ch, jon@callas.org, ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Thu, 18 Apr 2002 14:50:36 -0500 Message-ID: <OF4DB83ABD.D59BB9BD-ON86256B9F.006CD5C6@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/18/2002 03:50:29 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz Ah, excellent point. So if you wanted to include something funny in the version or comment, you could use something like HTML escapes. That would be clear to the human reader, but still pacify the person who really really wants to spell his name correctly. Marc Mutz <mutz@kde.org>@mail.imc.org on 04-18-2002 05:48:57 AM Sent by: owner-ietf-openpgp@mail.imc.org To: Marcel Waldvogel <marcel@news.m.wanda.ch>, Jon Callas <jon@callas.org> cc: ietf-openpgp@imc.org Subject: Re: What's left before a new RFC? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 18 April 2002 10:17, Marcel Waldvogel wrote: <snip> > For the Version and Comment headers, I propose to state that they are > UTF-8, but for interoperability, implementations SHOULD restrict > themselves to generate ASCII characters. <snip> I don't see the how having UTF-8 inside _ASCII_ Armor can be justified. The problem is that the ascii armor is going to be used in non-8but-clean environments. Else, you'd use the binary format, no? Because of that, I'm strongly in favour of stating that implementations MUST NOT emit armor headers with non-US-ACSII characters in them. Re: UTF-7. I understand that UTF-7 could be a solution. Only UTF-7 is widely considered to be a big mistake, so it shouldn't be used anymore. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vqSZ3oWD+L2/6DgRAvUFAJ9BG1s0Z8j+Ylmb17IpK/r7BsQE9ACfcJdz kBG5Od9TA9P84a7Qnh+NMdk= =TFvG -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3IJm3G05050 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:48:03 -0700 (PDT) Received: from porta.u64.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJm0705044 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:48:01 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian)) id 16yId3-0007Hd-00; Thu, 18 Apr 2002 22:35:41 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.33 #1 (Debian)) id 16yHtz-0000PU-00; Thu, 18 Apr 2002 21:49:07 +0200 To: "Hal Finney" <hal@finney.org> Cc: adam@cypherspace.org, ietf-openpgp@imc.org Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless References: <200204181920.g3IJKei01453@finney.org> From: Werner Koch <wk@gnupg.org> X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com X-FSFE-Motto: Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. X-FSFE-Info: http://fsfeurope.org Organisation: g10 Code GmbH Date: Thu, 18 Apr 2002 21:49:07 +0200 In-Reply-To: <200204181920.g3IJKei01453@finney.org> ("Hal Finney"'s message of "Thu, 18 Apr 2002 12:20:40 -0700") Message-ID: <87ofggbxe4.fsf@alberti.gnupg.de> Lines: 11 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 18 Apr 2002 12:20:40 -0700, Hal Finney said: > Actually I think PGP 2.X did have the ability to strip off one layer > of PGP processing, so it could be used to turn a signed-and-encrypted > message into a signed one. It would not be cleartext signed, it would use PGP/MIME provides a cleaner way to handle this scnr, Werner Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3IJfEY04795 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:41:14 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJfC704791 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:41:12 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3IJfRJ07871; Thu, 18 Apr 2002 15:41:27 -0400 (EDT) Subject: Re: What's left before a new RFC? To: jon@callas.org Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Thu, 18 Apr 2002 14:41:17 -0500 Message-ID: <OF2E0F1719.99F179DA-ON86256B9F.006BB3EA@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/18/2002 03:41:10 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz 96-character G0 ASCII is a proper subset of UTF-8. Lots of Internet protocol headers are based on a common design that uses this small character set. Is there any reason to break from that, rather than saying "just like all the others"? If the reason is to have arbitrary chars in the comment etc., then perhaps say that it's UTF-8 but the keyword before the ':' must be confined to the G0 characters, and the linebreak is that of the surrounding document (what about the Unicode libebreak/parabreak chars?). Jon Callas <jon@callas.org>@mail.imc.org on 04-17-2002 05:54:01 PM Sent by: owner-ietf-openpgp@mail.imc.org To: ietf-openpgp@imc.org cc: Subject: What's left before a new RFC? When I sent out bis04, it had all previous changes and additions in it. Thomas Roessler is convincing me that I may need to tighten up the language about UTF-8. If anyone out there disagrees with him, speak up. I'm willing to put in a note to say that the Version and Comment headers in armor SHOULD or MUST be ASCII. I don't like it (I want everything to be UTF-8), but I'll do it. Is UTF-7 too grotesque? I know of no other desired changes. I would like bis-05 to be Penultimate Call. Does anyone object? Jon Received: by above.proper.com (8.11.6/8.11.3) id g3IJTnQ04494 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:29:49 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJTm704489 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:29:48 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3IJKei01453; Thu, 18 Apr 2002 12:20:40 -0700 Date: Thu, 18 Apr 2002 12:20:40 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204181920.g3IJKei01453@finney.org> To: adam@cypherspace.org, hal@finney.org Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Cc: ietf-openpgp@imc.org Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Adam Back writes: > What we proposed is related. Rather > than the normal encrypted signed message: > > Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg) > > we proposed: > > Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg) > > with the additional restriction that the encryption mode should be one > of the MDC modes (ie appended MAC with K outside encryption, or > appended hash of msg inside encryption). I see, that seems to work well too. Plus it hides the nature of the internal signature because it looks like a regular, opaque encryption message on the outside. > To break that down: we hash Bob's public key so that Bob can't turn > around and forge an arbitrary an arbitrary message from Alice to > Charlie using signed K. What Bob is left with is proof that Alice > sent him a message, but no evidence of what the message body was. > > The approach generalises to multiple recipient's: either hash in all > of the recipient public keys, or include signatures for each recipient > -- the latter is probably preferable as then the recipient doesn't > need all the other recipient's public keys to verify. I don't think that works for multiple recipients, because any recipient can recover K, alter the msg, and re-create an apparently valid message that would be accepted by other recipients. Alice's signature is only on K and public keys so that part doesn't change when the msg does. > Indeed. One aspect of our proposal which may be good is that > extracting a signature contained inside an encrypted message is > already not directly supported. So nothing _new_ has been added from > the users perspective -- rather that feature has been > cryptographically assured rather than just being an unimplemented > implementation possibility. Actually I think PGP 2.X did have the ability to strip off one layer of PGP processing, so it could be used to turn a signed-and-encrypted message into a signed one. It would not be cleartext signed, it would use literal packets, but it would be a legal signed message. Perhaps GnuPG has retained the ability to do this. Hal Received: by above.proper.com (8.11.6/8.11.3) id g3IJPZQ04375 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:25:35 -0700 (PDT) Received: from mail.uni-bielefeld.de (IDENT:72@mail2.uni-bielefeld.de [129.70.4.90]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJPX704370 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:25:33 -0700 (PDT) Received: from dirichlet.mathematik.uni-bielefeld.de (ppp36-182.hrz.uni-bielefeld.de [129.70.36.182]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8) with ESMTP id <0GUS00EPG3AGDN@mail.uni-bielefeld.de> for ietf-openpgp@imc.org; Thu, 18 Apr 2002 21:25:33 +0200 (MET DST) Date: Thu, 18 Apr 2002 19:35:21 +0200 From: Marc Mutz <mutz@kde.org> Subject: Re: Clearsigning, MIME, etc. In-reply-to: <OF1A6713E4.2AF118D7-ON86256B9F.0058AD68@kodak.com> To: john.dlugosz@kodak.com, roessler@does-not-exist.org Cc: ietf-openpgp@imc.org Message-id: <200204181935.22512@sendmail.mutz.com> Organization: KDE MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT User-Agent: KMail/1.4.5 X-PGP-Key: 0xBDBFE838 References: <OF1A6713E4.2AF118D7-ON86256B9F.0058AD68@kodak.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 18 April 2002 18:31, john.dlugosz@kodak.com wrote: <snip> > Use a header inside the PGP envelope to note the message's character set. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA2 > Charset: ISO-8859-1-Windows-3.1-Latin-1 > > Message starts here... > Now how many people are going to use the correct official name, when it's > such a jawbreaker? Look at the charset declaration in web pages, and very > few get it right. So, better make that clear. <snip> Which charset should this be? The official, preferred mime-name is "iso-8859-1", and nothing else should be used, though the recveiver should understand other common names. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vwPZ3oWD+L2/6DgRAtzUAJ9ldFWxGPh0iM8/CmXShXTpcTGEfACg/jbQ 166yx32jHn7nHrjD5tm82qI= =G0bO -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3IJPXp04369 for ietf-openpgp-bks; Thu, 18 Apr 2002 12:25:33 -0700 (PDT) Received: from mail.uni-bielefeld.de (IDENT:72@mail2.uni-bielefeld.de [129.70.4.90]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IJPV704362 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 12:25:32 -0700 (PDT) Received: from dirichlet.mathematik.uni-bielefeld.de (ppp36-182.hrz.uni-bielefeld.de [129.70.36.182]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8) with ESMTP id <0GUS00EPG3AGDN@mail.uni-bielefeld.de> for ietf-openpgp@imc.org; Thu, 18 Apr 2002 21:25:31 +0200 (MET DST) Date: Thu, 18 Apr 2002 19:30:33 +0200 From: Marc Mutz <mutz@kde.org> Subject: Re: What's left before a new RFC? In-reply-to: <3CBEDC3D.10809@news.m.wanda.ch> To: Marcel Waldvogel <marcel@news.m.wanda.ch> Cc: Jon Callas <jon@callas.org>, ietf-openpgp@imc.org Message-id: <200204181930.35413@sendmail.mutz.com> Organization: KDE MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT User-Agent: KMail/1.4.5 X-PGP-Key: 0xBDBFE838 References: <p05101585b8e3abe7a80e@[192.168.1.97]> <200204181248.57879@sendmail.mutz.com> <3CBEDC3D.10809@news.m.wanda.ch> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 18 April 2002 16:46, Marcel Waldvogel wrote: <snip> > >I don't see the how having UTF-8 inside _ASCII_ Armor can be justified. > > The problem is that the ascii armor is going to be used in non-8but-clean > > environments. Else, you'd use the binary format, no? > > One one side, we can consider cleartext signatures, which already can > contain characters with the MSB set, and which are not necessarily > armored for 8-bit cleanliness. Even there, the signature block is (among > other things) ASCII-armored to not confuse the user (or his terminal) > with weird chars. Yes, but the problem is not clearsigning. The problem is armoured encryption and armoured keyrings. There also exist binary versions. Why do you think exist armoured ones? If the armoured format wasn't restricted to US-ASCII, then what right has the armoured format to exist anymore? > There are multiple reasons for armoring non-7bit data: > a) The transport does not allow arbitrary 8bit sequences <snip> SMTP falls into this category. That's what I'm mainly concerned with and that's where we ran into problems a few months ago. The PGP/MIME rfc3156 defines all app/pgp-* mimetypes to be 7bit only. Allowing 8bit octets in ascii armour would break rfc3156 (and rfc1847, too, IIRC) for no apparent added value. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vwK63oWD+L2/6DgRAqXlAKC5cLDJVbFYNjXQbZrirk8R6PCpXACg2zn4 njSeHYzN+c4Nlm0o2dpxKbY= =Pcej -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3IIvgP01808 for ietf-openpgp-bks; Thu, 18 Apr 2002 11:57:42 -0700 (PDT) Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IIvQ701767 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 11:57:27 -0700 (PDT) Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 16yH7q-00AzfD-00; Thu, 18 Apr 2002 19:59:22 +0100 Date: Thu, 18 Apr 2002 19:57:12 +0100 From: Adam Back <adam@cypherspace.org> To: Werner Koch <wk@gnupg.org> Cc: ietf-openpgp@imc.org Subject: Re: Whither comment packets? Message-ID: <20020418195712.A1938932@exeter.ac.uk> References: <B8E44C8C.1246%jon@callas.org> <87g01sdhbz.fsf@alberti.gnupg.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <87g01sdhbz.fsf@alberti.gnupg.de>; from wk@gnupg.org on Thu, Apr 18, 2002 at 07:53:04PM +0200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I don't find it makes a lot of sense either. Key size reduction is anyway easy to do whatever the packet formats -- from the cryptography directly: generate weak key-pairs, or weak symmetric keys, or trap-door weak keys (weak if you know some secret strong otherwise) etc. There have been a number of papers about how to do this and how to do it well. Adam On Thu, Apr 18, 2002 at 07:53:04PM +0200, Werner Koch wrote: > > On Thu, 18 Apr 2002 10:12:28 -0700, Jon Callas said: > > > Yes, it was seen to be a security problem. An evil implementation could leak > > things (like your keys) there, or use it as a way to do key-size reduction. > > Not very convincing; I'd put it into the unhashed area of signature > packets ;-) > > Werner > Received: by above.proper.com (8.11.6/8.11.3) id g3IHpsi27143 for ietf-openpgp-bks; Thu, 18 Apr 2002 10:51:54 -0700 (PDT) Received: from porta.u64.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IHppm27139 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 10:51:51 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian)) id 16yGog-0006qw-00; Thu, 18 Apr 2002 20:39:34 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.33 #1 (Debian)) id 16yG5g-000080-00; Thu, 18 Apr 2002 19:53:04 +0200 To: ietf-openpgp@imc.org Subject: Re: Whither comment packets? References: <B8E44C8C.1246%jon@callas.org> From: Werner Koch <wk@gnupg.org> X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com X-FSFE-Motto: Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. X-FSFE-Info: http://fsfeurope.org Organisation: g10 Code GmbH Date: Thu, 18 Apr 2002 19:53:04 +0200 In-Reply-To: <B8E44C8C.1246%jon@callas.org> (Jon Callas's message of "Thu, 18 Apr 2002 10:12:28 -0700") Message-ID: <87g01sdhbz.fsf@alberti.gnupg.de> Lines: 9 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 18 Apr 2002 10:12:28 -0700, Jon Callas said: > Yes, it was seen to be a security problem. An evil implementation could leak > things (like your keys) there, or use it as a way to do key-size reduction. Not very convincing; I'd put it into the unhashed area of signature packets ;-) Werner Received: by above.proper.com (8.11.6/8.11.3) id g3IHHTA26200 for ietf-openpgp-bks; Thu, 18 Apr 2002 10:17:29 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IHHSm26196 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 10:17:28 -0700 (PDT) Received: from [192.168.1.27] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Thu, 18 Apr 2002 10:17:13 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Thu, 18 Apr 2002 10:12:28 -0700 Subject: Re: Whither comment packets? From: Jon Callas <jon@callas.org> To: David Shaw <dshaw@jabberwocky.com> CC: <ietf-openpgp@imc.org> Message-ID: <B8E44C8C.1246%jon@callas.org> In-Reply-To: <20020418164449.GB704@akamai.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 4/18/2002 9:44 AM, "David Shaw" <dshaw@jabberwocky.com> wrote: > I understand that at some point in the past one of the OpenPGP drafts > had a "comment packet" defined. It seems to have been dropped > somewhere along the way, and I was wondering if anyone recalled why? Yes, it was seen to be a security problem. An evil implementation could leak things (like your keys) there, or use it as a way to do key-size reduction. The area directors were forceful and persuasive in their arguments. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3IGj0622100 for ietf-openpgp-bks; Thu, 18 Apr 2002 09:45:00 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IGixm22093 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 09:44:59 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3IGin001633 for ietf-openpgp@imc.org; Thu, 18 Apr 2002 12:44:49 -0400 Date: Thu, 18 Apr 2002 12:44:49 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Whither comment packets? Message-ID: <20020418164449.GB704@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Crescent (31% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi everyone, I understand that at some point in the past one of the OpenPGP drafts had a "comment packet" defined. It seems to have been dropped somewhere along the way, and I was wondering if anyone recalled why? David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3IGVF921259 for ietf-openpgp-bks; Thu, 18 Apr 2002 09:31:15 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IGVDm21255 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 09:31:14 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3IGVIJ00684; Thu, 18 Apr 2002 12:31:18 -0400 (EDT) Subject: Re: Clearsigning, MIME, etc. To: roessler@does-not-exist.org Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Thu, 18 Apr 2002 11:31:08 -0500 Message-ID: <OF1A6713E4.2AF118D7-ON86256B9F.0058AD68@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/18/2002 12:31:01 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz Re: - ASCII armor proper can be fixed by giving a clear specification of the character set issues involved: Either mandate UTF-8, or mandate tagging and use UTF-8 as the default. The current language is considerably too fuzzy, and - I believe - mostly ignored. Excellent report and summary--thanks for clearing everything up. I'd like to make one point. If ASCII-armor and PGP "stuff" inside the readable text in general is for dealing with systems that don't have meta-data for this, we can't mandate the use of a mail header. If it's stored in a txt file, it doesn't =have= a mail header! Listing the charset info as clear-text would be helpful in general to the human reader, too. So you could put it in the PGP headers after the -----BEGIN and before the blank line separator. Or, it can be a flag in the "encoding", but the only encoded stuff in this case is the signature block itself. Why not both? If you change the text file, you can change the human-readable charset header to match, and when you verify, the tool will see the mismatch and convert back to the format that the sig was used on, or give a suitable error. Or, the signature can "normalize" text by converting it to UTF-8 internally. The verify would know to do the same, from whatever the file's charset it. Putting that together, I'd propose something like this: Use a header inside the PGP envelope to note the message's character set. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA2 Charset: ISO-8859-1-Windows-3.1-Latin-1 Message starts here... Now how many people are going to use the correct official name, when it's such a jawbreaker? Look at the charset declaration in web pages, and very few get it right. So, better make that clear. Meanwhile, the signature itself (the base64-encoded packets) would contain a flag that states that the normalization of the text included converting to UTF-8. Without that flag, it does what it does now, and takes whatever bytes you give it unchanged except for rules about trailing whitespace and linebreaks. In summary, I think the idea of recording this information in two places (the clear text and the sig) is valuable, and allows the text block to be re-coded for display and still check the signature. An existing MUA won't know to change the Charset line, but between that value and the mail header and your machine's configuration, you have enough information to figure out just what it did! Received: by above.proper.com (8.11.6/8.11.3) id g3IEkVE15632 for ietf-openpgp-bks; Thu, 18 Apr 2002 07:46:31 -0700 (PDT) Received: from wanda.ch (adsl-73-116-basel1.tiscalinet.ch [212.254.73.116]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IEkTm15628 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 07:46:30 -0700 (PDT) Received: from news.m.wanda.ch (pat.zurich.ibm.com [195.212.119.253]) by wanda.ch (8.11.6/8.11.3/SuSE Linux 8.11.1-0.5) with ESMTP id g3IEkMw14021; Thu, 18 Apr 2002 16:46:22 +0200 Message-ID: <3CBEDC3D.10809@news.m.wanda.ch> Date: Thu, 18 Apr 2002 16:46:21 +0200 From: Marcel Waldvogel <marcel@news.m.wanda.ch> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204 X-Accept-Language: de, en MIME-Version: 1.0 To: Marc Mutz <mutz@kde.org> CC: Jon Callas <jon@callas.org>, ietf-openpgp@imc.org Subject: Re: What's left before a new RFC? References: <p05101585b8e3abe7a80e@[192.168.1.97]> <3CBE80FF.6040301@news.m.wanda.ch> <200204181248.57879@sendmail.mutz.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Marc Mutz wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Thursday 18 April 2002 10:17, Marcel Waldvogel wrote: ><snip> > >>For the Version and Comment headers, I propose to state that they are >>UTF-8, but for interoperability, implementations SHOULD restrict >>themselves to generate ASCII characters. >> ><snip> > >I don't see the how having UTF-8 inside _ASCII_ Armor can be justified. The >problem is that the ascii armor is going to be used in non-8but-clean >environments. Else, you'd use the binary format, no? > One one side, we can consider cleartext signatures, which already can contain characters with the MSB set, and which are not necessarily armored for 8-bit cleanliness. Even there, the signature block is (among other things) ASCII-armored to not confuse the user (or his terminal) with weird chars. There are multiple reasons for armoring non-7bit data: a) The transport does not allow arbitrary 8bit sequences b) The transport does not allow arbitrary "line" lengths c) The transport does charset recoding, probably forth and back. The headers that use UTF-8 are mostly for human consumption (I presume), and most modern non-8bit transports are of the form (b) or (c), which (1) should not harm typical headers nor (2) cause any damage, if they are slightly mangled (IMHO). BTW: Does the "Version" header contain the product and version used ("User-Agent"), or the version of the standard ("MIME-Version")? bis04 seems to indicate the latter, but usage seems to be the former. -Marcel Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3IDitJ12123 for ietf-openpgp-bks; Thu, 18 Apr 2002 06:44:55 -0700 (PDT) Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3IDism12119 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 06:44:55 -0700 (PDT) Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 16yCFT-00Aw1f-00; Thu, 18 Apr 2002 14:46:55 +0100 Date: Thu, 18 Apr 2002 14:44:54 +0100 From: Adam Back <adam@cypherspace.org> To: Hal Finney <hal@finney.org> Cc: ietf-openpgp@imc.org Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Message-ID: <20020418144454.A1920489@exeter.ac.uk> References: <200204180158.g3I1wK729577@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <200204180158.g3I1wK729577@finney.org>; from hal@finney.org on Wed, Apr 17, 2002 at 06:58:20PM -0700 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Apr 17, 2002 at 06:58:20PM -0700, Hal Finney wrote: > > Adam Back writes: > > The approach of signing encrypted key and using the key to MAC the > > data is interesting. It's very similar to what Ian and I proposed in: > > > > Non-Transferable Signatures using PGP, Usenix Annual Technical > > Conference, 98, Ian Brown and Adam Back > > > > There's a short summary here: > > > > http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm > > I haven't been able to get through to this site; I'll try again later. (Seems to be reachable now.) What we proposed is related. Rather than the normal encrypted signed message: Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(msg)), msg) we proposed: Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg) with the additional restriction that the encryption mode should be one of the MDC modes (ie appended MAC with K outside encryption, or appended hash of msg inside encryption). To break that down: we hash Bob's public key so that Bob can't turn around and forge an arbitrary an arbitrary message from Alice to Charlie using signed K. What Bob is left with is proof that Alice sent him a message, but no evidence of what the message body was. The approach generalises to multiple recipient's: either hash in all of the recipient public keys, or include signatures for each recipient -- the latter is probably preferable as then the recipient doesn't need all the other recipient's public keys to verify. > > I don't think that so bad. I think a reasonable approach for example > > would be to by default non-transferably sign when messages are > > encrypted and transferably sign when they are not (which makes sense > > as it's probably what you want anyway as you described in a later > > message, and with this particular scheme you can't sign without > > encrypting). > > Well, you can sign without encrypting the message by using the shared > key to MAC the message rather than encrypt it, although you're right > that there still has to be an element of encryption involved, and you > do need to know who the recipient is. Yes. Needing to know who the recipient is was what made us feel a natural place to put non-transferable sigantures was inside encryption -- to avoid adding a confusing extra restriction and avoid causing wide-ranging changes to the code, APIs and command line and GUI. > My worry is more with the understanding on the part of the users as > to what kinds of security guarantees they are getting. Descriptions > of digital signatures are widely available, and the motivated user > has many sources he can go to in order to learn about how signatures > work. > > If we introduce these non-transferable signatures (good name btw) then > there is more possibility for confusion. Indeed. One aspect of our proposal which may be good is that extracting a signature contained inside an encrypted message is already not directly supported. So nothing _new_ has been added from the users perspective -- rather that feature has been cryptographically assured rather than just being an unimplemented implementation possibility. You're right that it may confuse, but they won't be directly exposed to it unless they dig under the hood. Seems somewhat reasonable that people who are paranoid enough to not want transferable signatures should also use encryption. The kinds of things they are worrying about -- eg off the record remark becoming on the record and involved in a dispute -- are best also protected by encryption as courts seem to view plaintext as evidence and unauthenticated company and ISP mail logs things like that. > Is there an extension of this to the multi-party case? It doesn't > work to use the simple idea of having Alice encrypt K to each recipient > and sign those encryptions, then MAC (or encrypt) the message with K. > The problem is that each recipient learns K, hence any of them might have > created or altered the message body. Each recipient is only convinced > that the message came from Alice or someone on the recipient list. Yes see above. > Logically it seems to me that for this to work the message has to be one > which was constructable either by the signer, or by the collective effort > of all the recipients WORKING TOGETHER. In this way, each recipient > can know that, since he did not collude with the other recipients to > make the message, it must have come from the claimed signer, making > the signature convincing. But outside parties cannot rule out the > possibility that the recipients collectively "forged" the message, > making the signature non-transferrable. > > This concept can be applied pretty straightforwardly to the mathematical > key-combining technique, I think (I figured out how to do it once) but > I don't see how to use the simple hash/encrypt trick to accomplish this. We also looked a bit at a group signature with a similar property to the one you reference in Rivest et al's paper. The reference I have for it is: Bernardo A. Huberman, Matt Franklin and Tad Hogg: Enhancing privacy and trust inelectronic communities. ACM Conference on Electronic Commerce, 1999, pp.78-86. http://citeseer.nj.nec.com/365811.html however that paper also references some earlier work. By combining the approach with these group signatures you reduce the proof Bob ends up with. Instead of a proof that Bob received a message from Alice, but no proof of message content, Bob ends up with a proof that either Alice sent him a message or he forged a message to himself from Alice. I agree with your collective effort argument for the generalized version of this with multiple recipients. It's all fairly related to forward secrecy also -- another form of proof of authorship is for a court with a copy of a ciphertext to demand appropriate private keys and verify for themselves. This in theory could have been forged, but they'll have mail headers and a tendency to believe that Bob did not think ahead and forge a mail to yourself pretending to be Alice. Adam Received: by above.proper.com (8.11.6/8.11.3) id g3IAq4X01698 for ietf-openpgp-bks; Thu, 18 Apr 2002 03:52:04 -0700 (PDT) Received: from c000.snv.cp.net (h000.c000.snv.cp.net [209.228.32.64]) by above.proper.com (8.11.6/8.11.3) with SMTP id g3IAq2m01694 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 03:52:02 -0700 (PDT) Received: (cpmta 3652 invoked from network); 18 Apr 2002 03:51:57 -0700 Received: from 80.130.169.184 (HELO dirichlet.mathematik.uni-bielefeld.de) by smtp.mutz.com (209.228.32.64) with SMTP; 18 Apr 2002 03:51:57 -0700 X-Sent: 18 Apr 2002 10:51:57 GMT Content-Type: text/plain; charset="us-ascii" From: Marc Mutz <mutz@kde.org> Organization: KDE To: Marcel Waldvogel <marcel@news.m.wanda.ch>, Jon Callas <jon@callas.org> Subject: Re: What's left before a new RFC? Date: Thu, 18 Apr 2002 12:48:57 +0200 User-Agent: KMail/1.4.5 Cc: ietf-openpgp@imc.org References: <p05101585b8e3abe7a80e@[192.168.1.97]> <3CBE80FF.6040301@news.m.wanda.ch> In-Reply-To: <3CBE80FF.6040301@news.m.wanda.ch> X-PGP-Key: 0xBDBFE838 MIME-Version: 1.0 Message-Id: <200204181248.57879@sendmail.mutz.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3IAq3m01695 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 18 April 2002 10:17, Marcel Waldvogel wrote: <snip> > For the Version and Comment headers, I propose to state that they are > UTF-8, but for interoperability, implementations SHOULD restrict > themselves to generate ASCII characters. <snip> I don't see the how having UTF-8 inside _ASCII_ Armor can be justified. The problem is that the ascii armor is going to be used in non-8but-clean environments. Else, you'd use the binary format, no? Because of that, I'm strongly in favour of stating that implementations MUST NOT emit armor headers with non-US-ACSII characters in them. Re: UTF-7. I understand that UTF-7 could be a solution. Only UTF-7 is widely considered to be a big mistake, so it shouldn't be used anymore. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vqSZ3oWD+L2/6DgRAvUFAJ9BG1s0Z8j+Ylmb17IpK/r7BsQE9ACfcJdz kBG5Od9TA9P84a7Qnh+NMdk= =TFvG -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3I8HO114718 for ietf-openpgp-bks; Thu, 18 Apr 2002 01:17:24 -0700 (PDT) Received: from wanda.ch (adsl-73-116-basel1.tiscalinet.ch [212.254.73.116]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I8HMm14703 for <ietf-openpgp@imc.org>; Thu, 18 Apr 2002 01:17:22 -0700 (PDT) Received: from news.m.wanda.ch (pat.zurich.ibm.com [195.212.119.253]) by wanda.ch (8.11.6/8.11.3/SuSE Linux 8.11.1-0.5) with ESMTP id g3I8H8w12421; Thu, 18 Apr 2002 10:17:08 +0200 Message-ID: <3CBE80FF.6040301@news.m.wanda.ch> Date: Thu, 18 Apr 2002 10:17:03 +0200 From: Marcel Waldvogel <marcel@news.m.wanda.ch> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8) Gecko/20020204 X-Accept-Language: de, en MIME-Version: 1.0 To: Jon Callas <jon@callas.org> CC: ietf-openpgp@imc.org Subject: Re: What's left before a new RFC? References: <p05101585b8e3abe7a80e@[192.168.1.97]> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon, I agree with Thomas on the UTF-8 issue. For the Version and Comment headers, I propose to state that they are UTF-8, but for interoperability, implementations SHOULD restrict themselves to generate ASCII characters. This phrase may be put in section 14 as a general comment. -Marcel Jon Callas wrote: >When I sent out bis04, it had all previous changes and additions in it. > >Thomas Roessler is convincing me that I may need to tighten up the language >about UTF-8. If anyone out there disagrees with him, speak up. > >I'm willing to put in a note to say that the Version and Comment headers in >armor SHOULD or MUST be ASCII. I don't like it (I want everything to be >UTF-8), but I'll do it. Is UTF-7 too grotesque? > >I know of no other desired changes. I would like bis-05 to be Penultimate >Call. Does anyone object? > > Jon > Received: by above.proper.com (8.11.6/8.11.3) id g3I2eMV14266 for ietf-openpgp-bks; Wed, 17 Apr 2002 19:40:22 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I2eLm14262 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 19:40:21 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3I2eEg01998; Wed, 17 Apr 2002 22:40:14 -0400 Date: Wed, 17 Apr 2002 22:40:14 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org Subject: Re: bis04: revocation key nits Message-ID: <20020418024013.GA1964@akamai.com> Mail-Followup-To: Jon Callas <jon@callas.org>, ietf-openpgp@imc.org References: <20020418004918.GA661@akamai.com> <p0510158cb8e3cae4eb63@[192.168.1.97]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <p0510158cb8e3cae4eb63@[192.168.1.97]> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Crescent (25% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Apr 17, 2002 at 06:13:34PM -0700, Jon Callas wrote: > > At 8:49 PM -0400 4/17/02, David Shaw wrote: > > >The first item is that there is no way to revoke a 0x1F signature. > >Since the designated revoker information is contained in an 0x1F > >signature, this means that once a user designates a designated > >revoker, the user cannot later undo the designation if circumstances > >change. > > > >I'd like to request a new signature class to indicate a 0x1F > >revocation or an expansion of the meaning of one of the existing > >revocation signature classes to include 0x1F signatures. [..] > How do you revoke your key if the revocation can be revoked? If your key is > compromised, the person who has it can do anything they want, including > revoke your revoker. The designated revoker might as well not be there if > it's not irrevocable. Now it's true, we also have an irrevocability > subpacket. But nonetheless, it can't be revocable. Ah, excellent point. Do you think it is still worth (for completeness, if not for the specific example of designated revokers) having a way to revoke a 0x1F signature? As for designated revokers in GnuPG, I'll do what PGP does and include a nonrevocable subpacket with the 0x1F signature to remove any ambiguity. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3I2ZQ814134 for ietf-openpgp-bks; Wed, 17 Apr 2002 19:35:26 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I2ZPm14130 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 19:35:25 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3I2QQA29627; Wed, 17 Apr 2002 19:26:26 -0700 Date: Wed, 17 Apr 2002 19:26:26 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204180226.g3I2QQA29627@finney.org> To: adam@cypherspace.org, hal@finney.org Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Cc: ietf-openpgp@imc.org Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> A correction: I wrote: > If we introduce these non-transferable signatures (good name btw) then > there is more possibility for confusion. It's completely different from > a regular signature; for one thing, Alice doesn't even have to type her > passphrase, because her signature key is not used when she creates this > kind of "signature"! Imagine the paranoia that would trigger on the PGP > user lists. In general it's going to increase the explanatory burden > for people who want to understand what the software is doing. Sorry, I was confused when I wrote this. Of course, Alice does have to use her passphrase and private key, as she signs the encrypted key block. But I still think that the unique security properties of this kind of signature would have to be explained, so that people can make knowledgeable judgements about the security they are getting. Hal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3I27PF13434 for ietf-openpgp-bks; Wed, 17 Apr 2002 19:07:25 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I27Om13430 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 19:07:24 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3I1wK729577; Wed, 17 Apr 2002 18:58:20 -0700 Date: Wed, 17 Apr 2002 18:58:20 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204180158.g3I1wK729577@finney.org> To: adam@cypherspace.org Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Cc: ietf-openpgp@imc.org Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Adam Back writes: > The approach of signing encrypted key and using the key to MAC the > data is interesting. It's very similar to what Ian and I proposed in: > > Non-Transferable Signatures using PGP, Usenix Annual Technical > Conference, 98, Ian Brown and Adam Back > > There's a short summary here: > > http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm I haven't been able to get through to this site; I'll try again later. > I don't think that so bad. I think a reasonable approach for example > would be to by default non-transferably sign when messages are > encrypted and transferably sign when they are not (which makes sense > as it's probably what you want anyway as you described in a later > message, and with this particular scheme you can't sign without > encrypting). Well, you can sign without encrypting the message by using the shared key to MAC the message rather than encrypt it, although you're right that there still has to be an element of encryption involved, and you do need to know who the recipient is. My main concern is not so much with the operational complexity; as you say, the software could automatically create the right kind of signature in most cases. My worry is more with the understanding on the part of the users as to what kinds of security guarantees they are getting. Descriptions of digital signatures are widely available, and the motivated user has many sources he can go to in order to learn about how signatures work. If we introduce these non-transferable signatures (good name btw) then there is more possibility for confusion. It's completely different from a regular signature; for one thing, Alice doesn't even have to type her passphrase, because her signature key is not used when she creates this kind of "signature"! Imagine the paranoia that would trigger on the PGP user lists. In general it's going to increase the explanatory burden for people who want to understand what the software is doing. I am also concerned about the security of this specific construction, Sign_Alice(Encrypt_Bob(K)), MAC(K,Msg), Msg. (Also applies to Sign_Alice(Encrypt_Bob(K)), Encrypt(K, Msg).) One attack I noticed is that if Bob accidentally reveals K to an eavesdropper Eve, Eve can replay the Sign_Alice(Encrypt_Bob(K)) block and replace the Msg with her own. To defend against this either Bob could keep a list of recently used K values (and perhaps include timestamps in the signed block). Or of course he could just be careful about leaking K, but it is an important consideration for the designer. It would be nice to see some security proofs for this construction. Is there an extension of this to the multi-party case? It doesn't work to use the simple idea of having Alice encrypt K to each recipient and sign those encryptions, then MAC (or encrypt) the message with K. The problem is that each recipient learns K, hence any of them might have created or altered the message body. Each recipient is only convinced that the message came from Alice or someone on the recipient list. Logically it seems to me that for this to work the message has to be one which was constructable either by the signer, or by the collective effort of all the recipients WORKING TOGETHER. In this way, each recipient can know that, since he did not collude with the other recipients to make the message, it must have come from the claimed signer, making the signature convincing. But outside parties cannot rule out the possibility that the recipients collectively "forged" the message, making the signature non-transferrable. This concept can be applied pretty straightforwardly to the mathematical key-combining technique, I think (I figured out how to do it once) but I don't see how to use the simple hash/encrypt trick to accomplish this. BTW please do not forward this message elsewhere; by our company policy we are supposed to restrict technical discussion of cryptography to research oriented forums, and this list counts for that, but not most others. Hal Received: by above.proper.com (8.11.6/8.11.3) id g3I1Q6w12471 for ietf-openpgp-bks; Wed, 17 Apr 2002 18:26:06 -0700 (PDT) Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I1Q5m12466 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 18:26:06 -0700 (PDT) Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 16y0iL-00B2R2-00; Thu, 18 Apr 2002 02:27:57 +0100 Date: Thu, 18 Apr 2002 02:27:56 +0100 From: Adam Back <adam@cypherspace.org> To: Hal Finney <hal@finney.org> Cc: ietf-openpgp@imc.org Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Message-ID: <20020418022756.A1878773@exeter.ac.uk> References: <200204111545.g3BFjdw11622@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <200204111545.g3BFjdw11622@finney.org>; from hal@finney.org on Thu, Apr 11, 2002 at 08:45:39AM -0700 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Only just saw this thread due to mailer config issue and Ian Brown pointed it out to me. The approach of signing encrypted key and using the key to MAC the data is interesting. It's very similar to what Ian and I proposed in: Non-Transferable Signatures using PGP, Usenix Annual Technical Conference, 98, Ian Brown and Adam Back There's a short summary here: http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm > Unfortunately I think that adding a new flavor of signature would tend > to create confusion among users who at best barely understand public > key cryptography. The new kind of signature would have very different > security properties and usage scenarios, so it would add additional > complexity for people to deal with. I don't think that so bad. I think a reasonable approach for example would be to by default non-transferably sign when messages are encrypted and transferably sign when they are not (which makes sense as it's probably what you want anyway as you described in a later message, and with this particular scheme you can't sign without encrypting). btw We originally were going to put the non-transferable signature stuff in the Forward Secrecy Extensions for PGP ID, but opted instead to separate concerns and keep the ID simple. http://www.cypherspace.org/openpgp/pfs/openpgp-pfs.txt Adam On Thu, Apr 11, 2002 at 08:45:39AM -0700, Hal Finney wrote: > I haven't read this RFC, but I had a long discussion with Wei Dai last > year about ways to do this within the OpenPGP framework. We came up with > a couple of ideas. These might be called "recipient-verifiable" signed > messages, to distinguish them from the regular PGP signed messages which > are "world-verifiable". The general approach is to make the message such > that the recipient could "forge" fake messages from the sender that look > legitimate to third parties. This prevents the real message from being > shown around in a convincing way. > > Wei suggested that the recipient-verifiable message from Alice to Bob > could be as follows: > > Sign_Alice( Encrypt_Bob( K ) ), MAC_K( Msg ), Msg. > > The idea is that Alice chooses a MAC key K, encrypts it to Bob and then > signs the encrypted packet. She sends this, along with the MAC'd message, > to Bob. Bob can recover K from the encrypted packet, verifying the > signature by Alice on that packet, and then verify the MAC. Received: by above.proper.com (8.11.6/8.11.3) id g3I1IGC12347 for ietf-openpgp-bks; Wed, 17 Apr 2002 18:18:16 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I1IFm12343 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 18:18:15 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Wed, 17 Apr 2002 18:17:57 -0700 Mime-Version: 1.0 Message-Id: <p0510158cb8e3cae4eb63@[192.168.1.97]> In-Reply-To: <20020418004918.GA661@akamai.com> References: <20020418004918.GA661@akamai.com> Date: Wed, 17 Apr 2002 18:13:34 -0700 To: David Shaw <dshaw@jabberwocky.com>, ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: bis04: revocation key nits Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 8:49 PM -0400 4/17/02, David Shaw wrote: >The first item is that there is no way to revoke a 0x1F signature. >Since the designated revoker information is contained in an 0x1F >signature, this means that once a user designates a designated >revoker, the user cannot later undo the designation if circumstances >change. > >I'd like to request a new signature class to indicate a 0x1F >revocation or an expansion of the meaning of one of the existing >revocation signature classes to include 0x1F signatures. It is the intent of the designated revoker feature that it cannot be revoked. Otherwise it's too hairy for words. Here's a scenario: Suppose Alice is your designated revoker. You discover that your key is being used by persons unknown for purposes you don't approve of -- oh, like spending your money. Let's also assume that you no longer have the secret key (let's say your laptop was stolen). You visit Alice, explaining the problem, and she generates a revocation for your certificate. After all, that's why she's your revoker. Alice sends it to the world. Or you send it to the world for Alice. The next day, a merchant cashes another bogus check. You call up the merchant and ask, "What the heck are you doing? Didn't you see Alice's revocation of that key." The merchant replies, "Yeah, but I also have a revocation of Alice's revoker status dated April 1, 1999." How do you revoke your key if the revocation can be revoked? If your key is compromised, the person who has it can do anything they want, including revoke your revoker. The designated revoker might as well not be there if it's not irrevocable. Now it's true, we also have an irrevocability subpacket. But nonetheless, it can't be revocable. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3I0qqS11830 for ietf-openpgp-bks; Wed, 17 Apr 2002 17:52:52 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I0qpm11826 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 17:52:51 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3I0qoo01154 for ietf-openpgp@imc.org; Wed, 17 Apr 2002 20:52:50 -0400 Date: Wed, 17 Apr 2002 20:52:50 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Revocation target subpacket (Re: What's left before a new RFC?) Message-ID: <20020418005250.GB661@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org References: <p05101585b8e3abe7a80e@[192.168.1.97]> <00d501c1e66e$e3deb920$ebc42609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00d501c1e66e$e3deb920$ebc42609@transarc.ibm.com> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Crescent (24% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Apr 17, 2002 at 08:20:26PM -0400, Michael Young wrote: > I still desire a "revocation target" subpacket to identify the > specific signature being revoked: [..] > David Shaw also suggested including the timestamp from the revocation > packet, to allow a blazingly fast comparison. Again, I could live > with or without this. After further consideration of Jon's comments about hash comparison, I don't see the need. > Without the ability to revoke a specific signature, I strongly object > to multiple self-signatures being interpreted "any way it sees fit". > Yes, there's a RECOMMENDED behavior, and that may be the best we can > hope for in old implementations. It's sad to suggest that when > conversing among new implementations, a key owner cannot update its > self-signature in a clear and unambiguous way. But a revocation > target would satisfy my objection. There may be other solutions to > this specific problem, such as a "supercedes" subpacket, but I don't > think they're as generally powerful or useful. > > Note that I would not limit the use of this subpacket to self-signatures. > I think it would be equally meaningful for ordinary certifications, > to disambiguate between signatures with different subpackets (e.g., > notation, trust limits, policy) or classes (e.g., 0x10 through 0x13). See also the mail I just sent about designated revokers - there is a good potential use there as well. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3I0nL911769 for ietf-openpgp-bks; Wed, 17 Apr 2002 17:49:21 -0700 (PDT) Received: from claude.kendall.akamai.com (walrus.ne.client2.attbi.com [65.96.217.88]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I0nJm11764 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 17:49:20 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3I0nIK01129 for ietf-openpgp@imc.org; Wed, 17 Apr 2002 20:49:18 -0400 Date: Wed, 17 Apr 2002 20:49:18 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: bis04: revocation key nits Message-ID: <20020418004918.GA661@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Crescent (21% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi everyone, I'd like to raise two items for possible inclusion in bis05. These came up while implementing designated revoker functionality in GnuPG. The first item is that there is no way to revoke a 0x1F signature. Since the designated revoker information is contained in an 0x1F signature, this means that once a user designates a designated revoker, the user cannot later undo the designation if circumstances change. I'd like to request a new signature class to indicate a 0x1F revocation or an expansion of the meaning of one of the existing revocation signature classes to include 0x1F signatures. The second item is one I raised in February. Briefly, the draft indicates that a designated revoker is allowed to issue three types of revocations: key revocations (0x20), subkey revocations (0x28), and certification revocations (0x30). The problem happens if a user is both a designated revoker for someone who has signed a given key, as well as a regular signer for the same given key. In this case, there is no way to tell the difference between a certification revocation issued by the user in his capacity as designated revoker, and a certification revocation issued by the user in his capacity as himself. For example, take Alice, Bob, and Charlie. Bob is Alice's designated revoker. Alice and Bob have both certified Charlie's key. Now Alice asks Bob to revoke her certification of Charlie's key. Since both Alice and Bob have certified Charlie's key, and the format of the certficate revocation (0x30) that Bob issues is the same whether he is acting for himself or acting as Alice's designated revoker, the OpenPGP program has no way to tell which certification is being revoked: is it Bob's or is it Alice's? I don't know what the best solution for this is. Probably the simplest solution is to only allow designated revokers to issue key revocations (0x20 and possibly 0x28) and not 0x30 cerfication revocations. Michael Young suggested a "revocation target" signature subpacket for use in revocations. That would work as well. For what it's worth, neither PGP or GnuPG currently allow designated revokers to issue 0x28 subkey or 0x30 certification revocations. David -- David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/ +---------------------------------------------------------------------------+ "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." - Jeremy S. Anderson Received: by above.proper.com (8.11.6/8.11.3) id g3I0MLr10993 for ietf-openpgp-bks; Wed, 17 Apr 2002 17:22:21 -0700 (PDT) Received: from smtprelay7.dc2.adelphia.net (smtprelay7.dc2.adelphia.net [64.8.50.39]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3I0MKm10989 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 17:22:20 -0700 (PDT) Received: from mwyoung ([24.48.51.230]) by smtprelay7.dc2.adelphia.net (Netscape Messaging Server 4.15 smtprelay7 Dec 7 2001 09:58:59) with SMTP id GUQMCW00.MP9 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 20:22:08 -0400 Message-ID: <00d501c1e66e$e3deb920$ebc42609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05101585b8e3abe7a80e@[192.168.1.97]> Subject: Revocation target subpacket (Re: What's left before a new RFC?) Date: Wed, 17 Apr 2002 20:20:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: "Jon Callas" <jon@callas.org> > I know of no other desired changes. I would like bis-05 to be Penultimate > Call. Does anyone object? I still desire a "revocation target" subpacket to identify the specific signature being revoked: 5.2.3.1. (add:) 31 = revocation identification 5.2.3.25. Revocation identification (1 octet PK algorithm) (1 octet hash algorithm) (N octets hash) where the N octets are the hash from the signature being revoked. My original suggestion did not include the PK algorithm field. Jon Callas added that in his revised sketch. I don't feel a need for it, but I won't object, either. David Shaw also suggested including the timestamp from the revocation packet, to allow a blazingly fast comparison. Again, I could live with or without this. Without the ability to revoke a specific signature, I strongly object to multiple self-signatures being interpreted "any way it sees fit". Yes, there's a RECOMMENDED behavior, and that may be the best we can hope for in old implementations. It's sad to suggest that when conversing among new implementations, a key owner cannot update its self-signature in a clear and unambiguous way. But a revocation target would satisfy my objection. There may be other solutions to this specific problem, such as a "supercedes" subpacket, but I don't think they're as generally powerful or useful. Note that I would not limit the use of this subpacket to self-signatures. I think it would be equally meaningful for ordinary certifications, to disambiguate between signatures with different subpackets (e.g., notation, trust limits, policy) or classes (e.g., 0x10 through 0x13). -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPL4Q5FMkvpTT8vCGEQLtpgCglr4beWeYJ4dUnqUpJTaaAIVwz0wAoLDN 9xGG4JMBrlsTW6npVziHw3UC =nwLd -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3HNoQK10522 for ietf-openpgp-bks; Wed, 17 Apr 2002 16:50:26 -0700 (PDT) Received: from mail.mediacompany.com (postfix@castor.mediacompany.com [195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HNoOm10518 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 16:50:24 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [194.162.148.2]) by mail.mediacompany.com (Postfix) with ESMTP id 877574803; Thu, 18 Apr 2002 01:50:24 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 542A32ED8F; Thu, 18 Apr 2002 01:46:45 +0200 (CEST) Date: Thu, 18 Apr 2002 01:46:45 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org Subject: Re: Clearsigning, MIME, etc. Message-ID: <20020417234645.GA15119@yoda.does-not-exist.org> Mail-Followup-To: Jon Callas <jon@callas.org>, ietf-openpgp@imc.org References: <B8E2187F.DB2%jon@callas.org> <20020417093357.GA18863@yoda.does-not-exist.org> <p05101582b8e39c870d7d@[192.168.1.97]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <p05101582b8e39c870d7d@[192.168.1.97]> User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 2002-04-17 15:46:51 -0700, Jon Callas wrote: >>In order to verify a signature I make, I suppose he'd have to >>re-encode the data as presented to him from cp-1252 to utf-8. >>(He consistently reported that he could not verify the >>signatures I made.) >Yes, and this is exactly the process that I insist implementers do. ... as opposed to users! >UTF-8 is mandated to be the default. It always has been. All text >is UTF-8 unless there is a tag telling you it isn't. If the >handwaving I do in the Charset section of 6.2 is causing problems, >I will be happy to remove it. I will also be happy to explicitly >say all text is UTF-8. The handwaving sends one message: "In theory, it's all utf-8. In practice, forget about character sets." And that's, it seems, how things are implemented nowadays. >I suppose we could just declare that text is UTF-8. I'd certainly prefer that approach. Whatever is inside a type 't' literal packet is considered to be utf-8. In that case, there's no need for a charset header, except with clearsigning, where it should indicate the character set in which the cleartext has been represented while the hash. From a systematic point of view, it would be reasonable to assume utf-8 unless stated otherwise. From a practical point of view, conversion should only be done if an explicitly-given character set (Charset header) is different from the one used to represent the data (to be determined out-of-band, for instance by using nl_langinfo(CODESET)). If no Charset header is given, no recoding should happen. >>>construct OpenPGP headers, >>Eh? You don't need to construct any OpenPGP headers with PGP/MIME. >Yes, I do. If I want to construct a clearsigned message from a >MIMEd message, I have to figure out the right spot to insert >"-----BEGIN PGP SIGNED MESSAGE-----" at the very least, and maybe >a "Hash: SHA1" header, and maybe a character set header. It's much >easier for me to not verify your signature. If it were >clearsigned, I can just copy it into a text file. Don't do that. Just save the first MIME part (in on-the-wire format, including headers; ups) to one file, the signature to a second one, and treat it as a detached signature. >>The problem with getting anything implemented is that NAI does >>not support PGP any more. >Well, my exercise shows it can work with no NAI involvement. Of course. However, that implementation is still around, and still the most widely used one on the most widely used platform, I'd guess. -- Thomas Roessler <roessler@does-not-exist.org> Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3HMwJ007417 for ietf-openpgp-bks; Wed, 17 Apr 2002 15:58:19 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HMwIm07413 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 15:58:18 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1) for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 15:57:58 -0700 Mime-Version: 1.0 Message-Id: <p05101585b8e3abe7a80e@[192.168.1.97]> Date: Wed, 17 Apr 2002 15:54:01 -0700 To: ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: What's left before a new RFC? Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> When I sent out bis04, it had all previous changes and additions in it. Thomas Roessler is convincing me that I may need to tighten up the language about UTF-8. If anyone out there disagrees with him, speak up. I'm willing to put in a note to say that the Version and Comment headers in armor SHOULD or MUST be ASCII. I don't like it (I want everything to be UTF-8), but I'll do it. Is UTF-7 too grotesque? I know of no other desired changes. I would like bis-05 to be Penultimate Call. Does anyone object? Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3HMmX407223 for ietf-openpgp-bks; Wed, 17 Apr 2002 15:48:33 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HMmWm07219 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 15:48:32 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Wed, 17 Apr 2002 15:48:18 -0700 Mime-Version: 1.0 Message-Id: <p05101582b8e39c870d7d@[192.168.1.97]> In-Reply-To: <20020417093357.GA18863@yoda.does-not-exist.org> References: <B8E2187F.DB2%jon@callas.org> <20020417093357.GA18863@yoda.does-not-exist.org> Date: Wed, 17 Apr 2002 15:46:51 -0700 To: Thomas Roessler <roessler@does-not-exist.org> From: Jon Callas <jon@callas.org> Subject: Re: Clearsigning, MIME, etc. Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 11:33 AM +0200 4/17/02, Thomas Roessler wrote: >Congratulations. That was the easy part. I suppose we agree that I >did things the right way with my message? > If I didn't, then there's something broken with signatures. :-) >In order to verify a signature I make, I suppose he'd have to >re-encode the data as presented to him from cp-1252 to utf-8. (He >consistently reported that he could not verify the signatures I >made.) > Yes, and this is exactly the process that I insist implementers do. >To wrap things up: > > - ASCII armor proper can be fixed by giving a clear specification of > the character set issues involved: Either mandate UTF-8, or > mandate tagging and use UTF-8 as the default. The current > language is considerably too fuzzy, and - I believe - mostly > ignored. > UTF-8 is mandated to be the default. It always has been. All text is UTF-8 unless there is a tag telling you it isn't. If the handwaving I do in the Charset section of 6.2 is causing problems, I will be happy to remove it. I will also be happy to explicitly say all text is UTF-8. My intent in any fuzziness in that language is because in the real world, text is often tacitly tagged -- as you've mentioned in detail. The real message is supposed to be, "go ahead and interpret it any way you want, but you're on your own." I suppose we could just declare that text is UTF-8. That doesn't solve the problem completely, because there's always binary data, and if I send you binary data that represents 8859-1, and you interpret it as 8859-15, we still have a problem. >>construct OpenPGP headers, > >Eh? You don't need to construct any OpenPGP headers with PGP/MIME. Yes, I do. If I want to construct a clearsigned message from a MIMEd message, I have to figure out the right spot to insert "-----BEGIN PGP SIGNED MESSAGE-----" at the very least, and maybe a "Hash: SHA1" header, and maybe a character set header. It's much easier for me to not verify your signature. If it were clearsigned, I can just copy it into a text file. >The problem with getting anything implemented is that NAI does not >support PGP any more. > Well, my exercise shows it can work with no NAI involvement. > >Finally, hard failures of clearsigning: You can only avoid these by >making sure that no lossy recoding happens as the data travels from >signer to verifier. Encouraging people to use utf-8 on the wire (so >there is at least no lossy recoding on the sending side) may help, >but you won't get rid of all the problems that way. > > >Note that both kinds of clearsigning failures don't occur with >PGP/MIME: The signed material is invariant under the transformations >which can reasonably be expected to happen. Sure. But my grumpiness with OpenPGP/MIME is that I have no software that does it and don't see how I'm going to get any. It's purely practical. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3HLcLP05467 for ietf-openpgp-bks; Wed, 17 Apr 2002 14:38:21 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HLcKm05461 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 14:38:20 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Wed, 17 Apr 2002 14:37:59 -0700 Mime-Version: 1.0 Message-Id: <p05101581b8e39b5dc7b9@[192.168.1.97]> In-Reply-To: <20020417091558.GA23406@yoda.does-not-exist.org> References: <20020417091558.GA23406@yoda.does-not-exist.org> Date: Wed, 17 Apr 2002 14:37:25 -0700 To: Thomas Roessler <roessler@does-not-exist.org>, ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: literal data packet tags - nit Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 11:15 AM +0200 4/17/02, Thomas Roessler wrote: > Earlier implementations also used a vlaue of 'l' as a > 'local' mode for machine-local conversions. In RFC 1991, > this value is (wrongly) given as 'ASCII 1'. The use of > either of these literal data packet types is now deprecated. Thanks. Here is what I put into bis-05: Early versions of PGP also defined a value of 'l' as a 'local' mode for machine-local conversions. RFC 1991 incorrectly stated this local mode flag as '1' (ASCII numeral one). Both of these local modes are deprecated. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3HKlIs01498 for ietf-openpgp-bks; Wed, 17 Apr 2002 13:47:18 -0700 (PDT) Received: from mout1.freenet.de (exim@mout1.freenet.de [194.97.50.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HKlHm01494 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 13:47:17 -0700 (PDT) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout1.freenet.de with esmtp (Exim 3.33 #4) id 16xwKf-000703-00 for ietf-openpgp@imc.org; Wed, 17 Apr 2002 22:47:13 +0200 Received: from a61f2.pppool.de ([213.6.97.242] helo=daredevil) by mx2.freenet.de with esmtp (Exim 3.33 #4) id 16xwKf-0001qi-00 for ietf-openpgp@imc.org; Wed, 17 Apr 2002 22:47:13 +0200 Received: from twoaday by daredevil with local (Exim 3.33 #1 (Debian)) id 16xwLB-0002A3-00 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 22:47:45 +0200 Date: Wed, 17 Apr 2002 22:47:45 +0200 From: Timo Schulz <twoaday@freakmail.de> To: ietf-openpgp@imc.org Subject: Re: sha-1 protected test key Message-ID: <20020417204745.GA8298@daredevil.joesixpack.net> Reply-To: twoaday@freakmail.de Mail-Followup-To: ietf-openpgp@imc.org References: <87u1qafhd0.fsf@alberti.gnupg.de> <iakrbu03gtjv36uinefb5gj6841lvhjvpr@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <iakrbu03gtjv36uinefb5gj6841lvhjvpr@4ax.com> User-Agent: Mutt/1.5.0i X-PGP-KeyID: BF3DF9B4 X-PGP-Request: lynx -source http://www.winpt.org/twoaday.asc Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed Apr 17 2002; 21:52, Imad R. Faiad wrote: > Can you please advise what do you mean by > "sha-1 protected key"? As I see no such > term anywhere in RFC440-bis04. In section 5.5.3. Secret Key Packet Formats - If the string-to-key usage octet was 255, then a two-octet checksum of the plaintext of the algorithm-specific portion (sum of all octets, mod 65536). If the string-to-key usage octet was 254, then a 20-octet SHA-1 hash of the plaintext of the algorithm-specific portion. This checksum or hash is encrypted together with the algorithm-specific fields. Timo Received: by above.proper.com (8.11.6/8.11.3) id g3HK2Ih28586 for ietf-openpgp-bks; Wed, 17 Apr 2002 13:02:18 -0700 (PDT) Received: from pacific.terra.net.lb (pacific.terra.net.lb [212.98.130.34]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HK2Em28578 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 13:02:15 -0700 (PDT) Received: from irf2 ([212.98.154.225]) by pacific.terra.net.lb (InterMail vK.4.03.03.00 201-232-128 license 20eea39b78605e6864d58825b8a469a8) with SMTP id <20020417200149.BTIW9985.pacific@irf2> for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 23:01:49 +0300 From: "Imad R. Faiad" <matic@cyberia.net.lb> To: ietf-openpgp@imc.org Subject: Re: sha-1 protected test key Date: Wed, 17 Apr 2002 21:52:30 +0200 Message-ID: <iakrbu03gtjv36uinefb5gj6841lvhjvpr@4ax.com> References: <87u1qafhd0.fsf@alberti.gnupg.de> In-Reply-To: <87u1qafhd0.fsf@alberti.gnupg.de> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3HK2Hm28579 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Can you please advise what do you mean by "sha-1 protected key"? As I see no such term anywhere in RFC440-bis04. TIA Imad R. Faiad On Wed, 17 Apr 2002 17:57:15 +0200, you wrote: >Hi! > >I implemented the new SHA-1 checksum for secret keys. 2 files >protected with this new method are attached: Romeo uses CAST5 and >Sierra AES. The passphrase for both is "test". > >Note, that the keys are the regular GnuPG demo keys, so take care if >you are already using these keys. > > Werner -----BEGIN PGP SIGNATURE----- iQEVAwUBPL22U7zDFxiDPxutAQLb3AgAmDA5ggBWs1z2pLC+TR+PdcO2gfSCCpDC Y3PVv4SjY2UzVWhlTZTTdiZW9KED16pg1TWwpYmJ4IvQElamAtqqZk6/3elQKL+r BdfRu6x1quxRxL6PKOI5xHukWHgnk3v36vaLOxwpjPrUVTPSBjsFgZ1esWMfA99U h4nU42j8vSN+sJIuXlGofOJ0/Yn9XbEfoSSYRTg+Lu1SOS+snsuZhCFZne6FupvO R9u7EJdnXG7+3A3fNOp5WCng1GlbYCzjiCCaRRRGtIL2b/7Tsq0gPhofWhyw7nB4 pSf5n6BRcKt3XkEQElrmk8kBCeOV99/auF9+cGQq33YERAj9I5q6cQ== =88Cp -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3HFtxr13071 for ietf-openpgp-bks; Wed, 17 Apr 2002 08:55:59 -0700 (PDT) Received: from porta.u64.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HFtvm13062 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 08:55:57 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian)) id 16xsWe-0002lx-00; Wed, 17 Apr 2002 18:43:20 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.33 #1 (Debian)) id 16xro3-0003ru-00; Wed, 17 Apr 2002 17:57:15 +0200 To: ietf-openpgp@imc.org Subject: sha-1 protected test key From: Werner Koch <wk@gnupg.org> X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com X-FSFE-Motto: Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. X-FSFE-Info: http://fsfeurope.org Organisation: g10 Code GmbH Date: Wed, 17 Apr 2002 17:57:15 +0200 Message-ID: <87u1qafhd0.fsf@alberti.gnupg.de> Lines: 15 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-=-= Hi! I implemented the new SHA-1 checksum for secret keys. 2 files protected with this new method are attached: Romeo uses CAST5 and Sierra AES. The passphrase for both is "test". Note, that the keys are the regular GnuPG demo keys, so take care if you are already using these keys. Werner --=-=-= Content-Disposition: attachment; filename=romeo.asc Content-Description: test key Romeo -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.0.6e-cvs (GNU/Linux) lQHhBDbjrjgRBACU0OjVoC32Kh/dUjXPdN6HIusEhHheYpFIzYHHTYJmFBEjBj9C wrpYGjGUmp+BS2wFS59zO2MlpQGLGrmo+YGBdio338Hwdm8baeScd2Koqu+oWkCo BMm2VxxbS3M8kq0ppNu2Q5EEO/qGywVrVpfBM3siM3mcsjVaHyWy+T1IqwCg/lng gNIr+Yz2HoU9GwCwBi9331kD/jRTBAuXTq7vAG2bGpJ0X/zqSMLSRZfwnZj28hx6 I0SIT0yZU1xggrAgzSbB24XnQSSxWMR2BZQmupPdHO0l8xPn5KCbYo4C+9+Zsprx EXg09KtVcMOsV6qTq40NPSOdRRNAVhOOTg/GD0qX5r9ztB57qpefmp4Nfy5tmo3S ehfRA/9jkdKCLrZRsE/kH57kGoT5kt4nvJW2X3T03BMKvspVm3WjdlrR0Ji0yiw9 P05sCMJqeFKe4RZreG6i606CitZpRIRbpjfMEq838zgUDv7VGF7zqCedYu36sepf kzxj/slNyu6A21HTgMWxiBrkDXoIuxMPFKYzZGC+nCHXgW2uof4DAwLyji1Xfy9P iWDPL5uLWU2PDuRD0mbdg2Qdh39W5uTESUAJIid3a4TCd4V+TpsqzW39+EO98GjE ycNd17QpUm9tZW8gVGVzdCAoZGVtbyBrZXkpIDxyb21lb0BleGFtcGxlLm5ldD6I VQQTEQIAFQUCNuOuOAMLCgMDFQMCAxYCAQIXgAAKCRA72+2xd3++06vgAJ9dFoyZ gDHJ9aQRcBNvHiKrVM+W7ACgqDYu6GvxxVUGUcqSke0goY3s/dKdAbgENuOuZhAE AInmt6zi1dFmPfqzs/gplZR/RgLya0vHF40Rd7lyQC2fyAx9xJAngx6Lg7UQG+sp n0PPbwSa/QWYN3roNR3jJtEiTU83yRavL1S4YsB/9UECQwjJeFgIScHvBGw2PiQX kOFiLK16nbB6Q+hxk7YYBSgjJjbIw1vabaDYrxScrZAHAAMFA/4jGKHej776LTZf CLjA57tqujbFJ4GYf1vycRony/xFUtE7QCChHgYvMp5M5+/nsVTjy2VjuzG2HoU7 F4lpCRLWcPUtGlvcZQNmvuoz/I4ZinRaF1GAZb5zR5hrfaDlqOrbOff4fUvjKuZF JkzieZnlld72KOQazRQ1iqaLSAFjGv4DAwLyji1Xfy9PiWBpPXdVAeognbHWj3BB DbrG/ZBQIEE33f4c+ZJm+KNvWiIHSA5y42etV044/uLtS4nF71SJyci94b2PZYH8 SP+TBy+kTynaa/vkk5RsnUlHKaR6RmUdBqGLY+4PwnX4O+BWKBS0drfhV7wMY24X i/ejH0lmS7F1g1H1nKBsmJI5tdsbxA0/V9meWoAWSgZcB1pVVWQ+SosLS3PVBBq1 QohGBBgRAgAGBQI2465mAAoJEDvb7bF3f77TSdEAoJC9HJC3mk2hZumPxu1+oYrT SOk4AKCNIhMbMI1RGMc8I8QEA+qA5UOHgA== =Xus7 -----END PGP PRIVATE KEY BLOCK----- --=-=-= Content-Disposition: attachment; filename=sierra.asc Content-Description: test key Sierra -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1.0.6e-cvs (GNU/Linux) lQHpBDbjrwQRBADFLZOACYlz942iqSIW4twe90tkmeu6yswZInI3pacFpOi53bAq 2y7CFrA3/HzbYodK/QLPtmq3wKZDZcLghqtWZTxhhhH9fDqj8Rb54IVRGw3XKLD+ GyJt5OhtrIBWzJevMQBp07ZEuRn8+N7k7s5z83WZxmyIz9LgZj32ZOhluwCg4YuI bbsa92PrnfZcdW1jPSqlLQMEAIkWB5utOUWVQZHc5X2MdSMIJ/5fAoatzLD63wTL JWqQZ6tWp9v5xED5riHXvQugCzdbdNwx6SqJ8dl4I2Fc/KYLcthVO7cUkpthBPve +XV6d6L+E3w9SsZLDpe+9DwM4sS3zYT1tauANnBK7hoDu+KhF9/3wGtSdJ0Sg4Jg P5oGA/9k0mSgmhR6HNyB0J5MoJhs82TaVWVdvtZCAfGdoTaPVfNT2Kc5WFfEpRud Wo1tRt3j3LYuyTiD+jKrjVG2EeEzs2ctQ6uPlaqmQgenzniCi+NCCigKDDA2BTS6 fc3E/rOvug0zx9u3hNVhLfjUIwYK9qHwv+IgFP55gGJqOMZ+2P4HAwIhgJF4snTD KWDtN4bjHmCZtz6R2oRrd/us5Y2LzP7AgdOut8lMhuTaGw32ny3KdUl34Gz1uYwJ SogAMIhKSkotxkcKtCtTaWVycmEgVGVzdCAoZGVtbyBrZXkpIDxzaWVycmFAZXhh bXBsZS5uZXQ+iFUEExECABUFAjbjrwQDCwoDAxUDAgMWAgECF4AACgkQpeZ/f6Ou PqGvfwCgmiW4+LHNewi8DDrrxVXo5OJsFEEAn3K6UBmaMfewetDIEEbP8JJUhFVn nQHABDbjr4AQBAC4cckdPiWgQNkGvAm3q8FxzRLog68/jffvj8Mvt++XQ4NikO0V J8ezYkVd+vG3v5RoHTISynmMWZZjT56aFDSDZPOkQs2G0qZgAEgTpzCUBdlnUC8Z rHSTSQjCn7HtR2cpYCCUBliPtatDvS3Me1XdRfBhXib04TB0ci6DrzFQkwADBQQA je0R1INm9GkZKAzTECi+lVei7wbXkn4JF6n9r1KL5oULVF8aGHNEJ1Twj7kuq2ka cYjc/Di4KdESRTZN9szlZnNruvAd9JKHIgbeysene3yRhy+YFaqXm1MtWCdwwaDi DoHDASpl55RtuCKxz6uW77qhrZ8E6GRDrhI92R88Dbn+BwMCIYCReLJ0wylgTRBt VE4l4DEdP+v/E4umHUJKH17E4LhXnQ+99hSsX8sHKA6zXtu2v301WmlN3siZF/UA VVZzYteNrlYMC+l933zJ1hk26vfZAeYWo1fzTSnZa1YrlY9+/9a4COpKnvXcZUBX gGNDjr2nJQmt+b+3s77g2yli988kwVEVmQ8Xk/vSwoxM9mosrk73PaQpg7WY3OwE sD89B8etjHrRk6IuYnCqS9y2dIhGBBgRAgAGBQI246+BAAoJEKXmf3+jrj6hMx8A oKN37r3LagUdczPpRoorWgnKER/fAKDNombBtqtcolNzHm1Fg8XDworkTA== =cqxT -----END PGP PRIVATE KEY BLOCK----- --=-=-=-- Received: by above.proper.com (8.11.6/8.11.3) id g3HDGZV03126 for ietf-openpgp-bks; Wed, 17 Apr 2002 06:16:35 -0700 (PDT) Received: from mail.mediacompany.com (postfix@castor.mediacompany.com [195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HDGXm03122 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 06:16:33 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [194.162.149.4]) by mail.mediacompany.com (Postfix) with ESMTP id 217644803 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 15:16:33 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 397452ED13; Wed, 17 Apr 2002 15:13:15 +0200 (CEST) Date: Wed, 17 Apr 2002 15:13:15 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: ietf-openpgp@imc.org Subject: Re: bis04: Armor headers w/ non-us-ascii values Message-ID: <20020417131315.GI18863@yoda.does-not-exist.org> Mail-Followup-To: ietf-openpgp@imc.org References: <200204171428.05532@sendmail.mutz.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <200204171428.05532@sendmail.mutz.com> User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 2002-04-17 14:28:03 +0200, Marc Mutz wrote: >I'm missing a clear note that Armor Headers SHOULD (or even MUST) be US-ASCII >only (key and esp. value). MUST. -- Thomas Roessler <roessler@does-not-exist.org> Received: by above.proper.com (8.11.6/8.11.3) id g3HD1D002473 for ietf-openpgp-bks; Wed, 17 Apr 2002 06:01:13 -0700 (PDT) Received: from mail.uni-bielefeld.de (IDENT:72@mail2.uni-bielefeld.de [129.70.4.90]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3HD1Bm02469 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 06:01:11 -0700 (PDT) Received: from dirichlet.mathematik.uni-bielefeld.de (ppp36-137.hrz.uni-bielefeld.de [129.70.36.137]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8) with ESMTP id <0GUP007BEQTTUQ@mail.uni-bielefeld.de> for ietf-openpgp@imc.org; Wed, 17 Apr 2002 15:01:06 +0200 (MET DST) Date: Wed, 17 Apr 2002 14:28:03 +0200 From: Marc Mutz <mutz@kde.org> Subject: bis04: Armor headers w/ non-us-ascii values To: ietf-openpgp@imc.org Cc: jon@callas.org Message-id: <200204171428.05532@sendmail.mutz.com> Organization: KDE MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT User-Agent: KMail/1.4.5 X-PGP-Key: 0xBDBFE838 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I'm missing a clear note that Armor Headers SHOULD (or even MUST) be US-ASCII only (key and esp. value). We discussed the problem a few months ago. Non US-ASCII header values conflict with the intend of ascii armoring and with rfc3156, which states that application/pgp* always are 7bit. app/pgp-signature and app/pgp-keys are the ones that are actually affected. Problematic headers include "Comment" (which e.g. gnupg allows the user to specify) and "Version" (where localized). Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8vWpU3oWD+L2/6DgRAlJpAJ93NbFWIdoHKoiReh6+znutPAXk0wCg7LX2 W6aRY/myB8cclJmAUwV1Dy4= =5wzx -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3H9ZBk16467 for ietf-openpgp-bks; Wed, 17 Apr 2002 02:35:11 -0700 (PDT) Received: from mail.mediacompany.com (postfix@castor.mediacompany.com [195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3H9Z8m16456 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 02:35:09 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [62.144.244.114]) by mail.mediacompany.com (Postfix) with ESMTP id 960AB4809; Wed, 17 Apr 2002 11:34:55 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 102EF2ED90; Wed, 17 Apr 2002 11:33:58 +0200 (CEST) Date: Wed, 17 Apr 2002 11:33:57 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org Subject: Re: Clearsigning, MIME, etc. Message-ID: <20020417093357.GA18863@yoda.does-not-exist.org> Mail-Followup-To: Jon Callas <jon@callas.org>, ietf-openpgp@imc.org References: <B8E2187F.DB2%jon@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <B8E2187F.DB2%jon@callas.org> User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 2002-04-16 18:05:51 -0700, Jon Callas wrote: >Clearsigning is not armoring. They are different. If I hear >armoring, and you talk about clearsigning, we're going to talk at >cross purposes. I understand your comments on clearsigning, but >lets's take them one step at a time. I'm sorry for the confusion. With armoring proper (everything except clearsigning) the only problem is that an implementation needs to know, somehow, what character set the cleartext is in. That can easily be solved by making the Charset header mandatory, and specifying that text without a charset header is to be assumed utf-8 under all circumstances. I'll cover that in another message. The only question in this context is if the charset information shouldn't be part of the text packet, i.e., inside the cryptographical envelope. I suppose that would be cleaner; also, it would solve tagging when ASCII armor is not used. Alternatively, get rid of the Charset header and make utf-8 mandatory for text. But back to clearsigning. >[Note: There are unicode characters below.] ... which show up as question marks, because I'm not (yet ;-) operating in a full utf-8 environment - in fact, most things are just running in a iso-8859-15 locale, where the characters you used just can't be displayed. But that's actually a fine example: Just cutting & pasting what's displayed (which may be needed with some systems) would be impossible in this case, because a lossy encoding had to take place. >??? Your message displays properly under Entourage X on my Mac. >Yay! It also displays correctly with Mail.app, which ships with >OSX. It does not display correctly under Eudora for OSX. Boo (?). >If I take said message, paste it into BBEdit, it displays >correctly. Yay! If I save out said message in UTF8 with DOS line >ends (another ? for BBEdit), it verifies correctly with GPG 1.06. >Another yay! That's not so unexpected, isn't it? After all, no lossy re-encodings were involved, and you ultimately saved the message in its original character set. >I have a mail client and text editor that both displays UTF-8 and >verifies your clearsigned message. It even works in spite of the >fact that your message has trailing whitespace on its lines. So >this *is* possible to do! Just get a Mac. Failing that, convince >some MUA developers to do the right thing on Windows and Linux. Congratulations. That was the easy part. I suppose we agree that I did things the right way with my message? In this case, I'd suggest you tell this to vedaal who used PGP 6.5.8 [ckt] with outlook like many, many others do. In order to verify the signature under the message he sent to the list yesterday, you'll have to second-guess that his computer uses cp-1252 as the local character set. You then have to explicitly recode the text to that character set in order to get the signature verified. In order to verify a signature I make, I suppose he'd have to re-encode the data as presented to him from cp-1252 to utf-8. (He consistently reported that he could not verify the signatures I made.) Another member of this list who uses Lotus Notes 4.5 on NT4 also reported that the signature verification failed, but the message displayed (mostly) correctly. Of course, he's quite close to MUA hell, so in that case I suppose verifying _some_ signatures already counts as a success. (Thanks for your help!) >This exercise I went through proves my point, to my mind. With a >clearsigned message, I can see the intended characters as well >verify the message's signature. In short, the system works. The system works as long as everyone and everything involved uses the same charset, which is the case in our example. I never disputed that. The problem is that the system breaks as soon as _different_ character set worlds are involved. It breaks "softly" in the windows case, where things become unusable for the average user, and cumbersome for someone who kind of knows what he is doing. It breaks the hard way as soon as lossy recodings are involved, since these will ruin signatures. >More to the point, if the message were not clearsigned, if it were >MIMEd, I would be unable to easily go to the trouble of verifying >the message using a text editor and GPG. I would have had to pry >open MIME parts, Yes. >construct OpenPGP headers, Eh? You don't need to construct any OpenPGP headers with PGP/MIME. >Nonetheless, I'd love to hear what you have to say about 8859-1 >and 8859-15. I've gone and looked up 8859-15 (which I'd never >heard of before), and would like to hear your insights. iso-8859-15 is the replacement for iso-8859-1 with the Euro sign added (instead of the currency symbol), and with some characters such as "LATIN {CAPITAL,SMALL} LETTER S WITH CARON", "LATIN {CAPITAL,SMALL} LETTER Z WITH CARON" added instead of "ACUTE ACCENT", "CEDILLA", "BROKEN BAR", "DIAERESIS". (I think there are some more changes, but these are the ones I immediately recall.) Obviously, the transformation between the two can't be guaranteed to be loss-free. That is, as soon as you (have to) recode between these, a signature may be broken. To wrap things up: - ASCII armor proper can be fixed by giving a clear specification of the character set issues involved: Either mandate UTF-8, or mandate tagging and use UTF-8 as the default. The current language is considerably too fuzzy, and - I believe - mostly ignored. - With clearsigning, the "soft" failures (I suppose these are the more common ones) can be avoided by either mandating that the signed material is to be recoded from the local representation (which must be known out-of-band) to utf-8 before signing and verifying, or by mandating that the character set used when generating the signature is indicated in an appropriate tag. The problem with tagging is that implementations are encouraged to use proprietary character sets. Probably, a note about being conservatives about the character sets used should be added. The problem with getting anything implemented is that NAI does not support PGP any more. Finally, hard failures of clearsigning: You can only avoid these by making sure that no lossy recoding happens as the data travels from signer to verifier. Encouraging people to use utf-8 on the wire (so there is at least no lossy recoding on the sending side) may help, but you won't get rid of all the problems that way. Note that both kinds of clearsigning failures don't occur with PGP/MIME: The signed material is invariant under the transformations which can reasonably be expected to happen. -- Thomas Roessler <roessler@does-not-exist.org> Received: by above.proper.com (8.11.6/8.11.3) id g3H9Yxh16423 for ietf-openpgp-bks; Wed, 17 Apr 2002 02:34:59 -0700 (PDT) Received: from mail.mediacompany.com (postfix@[195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3H9Yvm16412 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 02:34:57 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [62.144.244.114]) by mail.mediacompany.com (Postfix) with ESMTP id 871B44803 for <ietf-openpgp@imc.org>; Wed, 17 Apr 2002 11:34:54 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 04F7F2ED8F; Wed, 17 Apr 2002 11:15:58 +0200 (CEST) Date: Wed, 17 Apr 2002 11:15:58 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: ietf-openpgp@imc.org Subject: literal data packet tags - nit Message-ID: <20020417091558.GA23406@yoda.does-not-exist.org> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> (Section 5.9) The language about the "l" tag in the current draft correctly describes the implementation in PGP-2.6. However, it does not describe what is in RFC 1991, which has "ASCII 1" instead - whatever that's supposed to mean. Suggestion: Instead of "RFC 1991 ... deprecated", use the following language: Earlier implementations also used a vlaue of 'l' as a 'local' mode for machine-local conversions. In RFC 1991, this value is (wrongly) given as 'ASCII 1'. The use of either of these literal data packet types is now deprecated. (This is independent of any other changes we may wish to make to that section.) -- Thomas Roessler <roessler@does-not-exist.org> Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3H16AK04111 for ietf-openpgp-bks; Tue, 16 Apr 2002 18:06:10 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3H169m04106 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 18:06:09 -0700 (PDT) Received: from [192.168.1.27] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1) for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 18:05:58 -0700 User-Agent: Microsoft-Entourage/10.0.0.1331 Date: Tue, 16 Apr 2002 18:05:51 -0700 Subject: Clearsigning, MIME, etc. From: Jon Callas <jon@callas.org> To: <ietf-openpgp@imc.org> Message-ID: <B8E2187F.DB2%jon@callas.org> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3H16Am04107 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 9:16 AM +0200 4/16/02, Thomas Roessler wrote: >With all due respect, OpenPGP with armoring gets you into all kinds >of hell as soon as you want to sign more than just us-ascii text, >and as soon as you want to verify the signature on a system >different from the one the signature was created on. This is, in >particular, the case when users have to feed PGP with a recoded >version of the message. Such recoding may be necessary in order to >properly display the message to you. I understand, Thomas. But I have some comments on your last message. Clearsigning is not armoring. They are different. If I hear armoring, and you talk about clearsigning, we're going to talk at cross purposes. I understand your comments on clearsigning, but lets's take them one step at a time. [Note: There are unicode characters below.] â Your message displays properly under Entourage X on my Mac. Yay! It also displays correctly with Mail.app, which ships with OSX. It does not display correctly under Eudora for OSX. Boo (?). If I take said message, paste it into BBEdit, it displays correctly. Yay! If I save out said message in UTF8 with DOS line ends (another ? for BBEdit), it verifies correctly with GPG 1.06. Another yay! [The previous paragraph contains a right-pointing hand (\u261e), a skull-and-crossbones (\u2620), and a smiley face (\u263a). The next paragraphs lead with the hand.] â I know that you said "Windows" and I'm on a Mac. But it works. I have a mail client and text editor that both displays UTF-8 and verifies your clearsigned message. It even works in spite of the fact that your message has trailing whitespace on its lines. So this *is* possible to do! Just get a Mac. Failing that, convince some MUA developers to do the right thing on Windows and Linux. â This exercise I went through proves my point, to my mind. With a clearsigned message, I can see the intended characters as well verify the message's signature. In short, the system works. Some group of people have all implemented unicode, OpenPGP, and mail handling and it all worked. To my mind, this makes it *not* a standards issue. It is a software implementation issue. â More to the point, if the message were not clearsigned, if it were MIMEd, I would be unable to easily go to the trouble of verifying the message using a text editor and GPG. I would have had to pry open MIME parts, construct OpenPGP headers, and hope I got it all right. The clearsigned message just plain worked, even with unicode in it. I have no MIME-encoding tools. Yeah. I could use Mutt. I know. And you could go get a Mac. Nonetheless, I'd love to hear what you have to say about 8859-1 and 8859-15. I've gone and looked up 8859-15 (which I'd never heard of before), and would like to hear your insights. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3GHFxU10200 for ietf-openpgp-bks; Tue, 16 Apr 2002 10:15:59 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3GHFwm10194 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 10:15:58 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3GHFje02267 for ietf-openpgp@imc.org; Tue, 16 Apr 2002 13:15:45 -0400 Date: Tue, 16 Apr 2002 13:15:45 -0400 From: David Shaw <dshaw@akamai.com> To: ietf-openpgp@imc.org Subject: Re: bis04 Message-ID: <20020416171545.GA1417@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org References: <OFC283C6D4.EC653DF8-ON86256B9D.0057BFB6@kodak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <OFC283C6D4.EC653DF8-ON86256B9D.0057BFB6@kodak.com> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waxing Crescent (14% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Apr 16, 2002 at 11:01:57AM -0500, john.dlugosz@kodak.com wrote: > > > From: John Dlugosz > > I agree that the wording doesn't belong in this document. "this is the > format document". If it is going to subsume the other, why not just make > one document? I see a similar situation with deflation vs. zipfile format. > > A forward cross-reference might not be out of line, though. Perhaps a "see > also", as opposed to anything that could be misunderstood as a subsumation. There is a see also in section 7 (Cleartext signature framework). It reads "Note that RFC 3156 defines another way to clear sign messages for environments that support MIME." David -- David Shaw | Technical Lead <dshaw@akamai.com> | Enterprise Content Delivery 617-250-3028 | Akamai Technologies Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3GG1tR03931 for ietf-openpgp-bks; Tue, 16 Apr 2002 09:01:55 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3GG1rm03927 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 09:01:53 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3GG28C18632; Tue, 16 Apr 2002 12:02:08 -0400 (EDT) Subject: Re: bis04 To: jon@callas.org Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Tue, 16 Apr 2002 11:01:57 -0500 Message-ID: <OFC283C6D4.EC653DF8-ON86256B9D.0057BFB6@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/16/2002 12:01:51 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz I agree that the wording doesn't belong in this document. "this is the format document". If it is going to subsume the other, why not just make one document? I see a similar situation with deflation vs. zipfile format. A forward cross-reference might not be out of line, though. Perhaps a "see also", as opposed to anything that could be misunderstood as a subsumation. --John Jon Callas <jon@callas.org>@mail.imc.org on 04-15-2002 07:38:13 PM Sent by: owner-ietf-openpgp@mail.imc.org To: Werner Koch <wk@gnupg.org>, ietf-openpgp@imc.org cc: Subject: Re: bis04 At 4:35 PM +0200 4/15/02, Werner Koch wrote: >Hi! > >Removing this requirement is a bad thing because a reader might get >the impression that PGP/MIME had been consired to be a failed idea. >This is definitely not the case and can't stress enough how important >PGP/MIME is. The fact that some mail clients are not able to support >it is a pitty but not a reason to drop PGP/MIME. > I wrote a grumpy note earlier this year about this issue. The reason I dropped it is because some implementers claim that base OpenPGP with armoring is deprecated. This is *not* the case. I support OpenPGP/MIME. I think it's a great idea. But I am sick of not being able to verify messages because some implementers think that OpenPGP/MIME is the only way to go. I support anyone who puts in MIME encoding as an *option*. It isn't mandatory. The problem is that some people don't understand the difference between SHOULD-implement and SHOULD require all users to use. Our illustrious area directors have gone on long dissertations about the difference between implementing and forcing users to use. If an implementer who politically wants to support the cause of security multiparts chooses to do so, more power to them. But when the implementer responds to people who want to do armoring with, "Hey, don't complain to me, complain to the standards guys who *FORCE* me to do it" (which someone has said to me and other people), then we part company. And since I'm the aforementioned standards guy who allegedly is holding a gun to said developer's head, I can do something about it. I thought long and hard about just the right thing to say that would say "I'm okay, you're okay" and couldn't come up with one. So I thought nothing was the best thing to say. After all, this is the *format* document. It lays out the bits. If an implementer wants to receive 3DES but never emit anything but AES, that's their choice. Similarly, if an implementer wants to always emit OpenPGP/MIME, that's their choice. But I don't want to be holding the bag for either of them. If you can come up with wording that says MIME is great, but so is armoring, send it and I'll look at it. >Thanks for releasing the draft, Jon. You're welcome. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3GDluM26139 for ietf-openpgp-bks; Tue, 16 Apr 2002 06:47:56 -0700 (PDT) Received: from mail.mediacompany.com (postfix@castor.mediacompany.com [195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3GDlsm26132 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 06:47:54 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [62.144.252.253]) by mail.mediacompany.com (Postfix) with ESMTP id C63EB4803; Tue, 16 Apr 2002 15:47:53 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id D9E362ED13; Tue, 16 Apr 2002 15:47:51 +0200 (CEST) Date: Tue, 16 Apr 2002 15:47:51 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: vedaal <vedaal@hotmail.com> Cc: ietf-openpgp@imc.org Subject: Re: bis04 Message-ID: <20020416134751.GQ2896@yoda.does-not-exist.org> Mail-Followup-To: vedaal <vedaal@hotmail.com>, ietf-openpgp@imc.org References: <87lmbpkp2h.fsf@alberti.gnupg.de> <p05101569b8e11f70b514@[192.168.1.97]> <20020416071637.GL17287@yoda.does-not-exist.org> <OE65TwQl9G8XHXMH3jC00001d3f@hotmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2/5bycvrmDh4d1IB" Content-Disposition: inline In-Reply-To: <OE65TwQl9G8XHXMH3jC00001d3f@hotmail.com> User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --2/5bycvrmDh4d1IB Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2002-04-16 09:31:21 -0400, vedaal wrote: >the above message was done in OE 5.5, displayed the special=20 >characters, and verified the signature vedaal Well, I was, however, unable to verify your signature, using mutt. --=20 Thomas Roessler <roessler@does-not-exist.org> --2/5bycvrmDh4d1IB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iQEVAwUBPLwrh9ImKUTOasbBAQIBhQgAhdxhYNnejQ+DBSL0ItosvacrgayKi4PE RdPhWedKL6vCVYMPyqyJhFEToC/xxOBC7BbVbE89T5HQtWYdSjwmIC4/78s3QROd +HAmHh65nV5kakfXvq/mGsGFPZtI5qiplAkmhdawdWpZFDsY11IREoftvvfp6VMH OLvQQoqSNMeYhOg+67d8wXDASXfovheiOXi4q+E+3LZ1upmkOWDhPX81LJ1/wsPy 6fcgnSEkQXxwgLaJETuutPjgZ+3Btpty1UTDrIf6Ram+7eHsnAOA6U/TNX/HWyAg /oHWjHkXjVTledMUADShNoFy9tlu3YsvsEMHs33T3XTAyPG3yZlpDg== =bkt4 -----END PGP SIGNATURE----- --2/5bycvrmDh4d1IB-- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3GDinm25682 for ietf-openpgp-bks; Tue, 16 Apr 2002 06:44:49 -0700 (PDT) Received: from mail.mediacompany.com (postfix@castor.mediacompany.com [195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3GDilm25677 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 06:44:47 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [62.144.252.253]) by mail.mediacompany.com (Postfix) with ESMTP id 219254803 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 15:44:43 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 5B12B2ED13; Tue, 16 Apr 2002 15:43:50 +0200 (CEST) Date: Tue, 16 Apr 2002 15:43:50 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: ietf-openpgp@imc.org Subject: Clearsigning considered harmful. Message-ID: <20020416134350.GP2896@yoda.does-not-exist.org> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From draft-04, section 6.2: >"Charset", a description of the character set that the plaintext is >in. Please note that OpenPGP defines text to be in UTF-8 by default. >An implementation will get best results by translating into and out >of UTF-8. However, there are many instances where this is easier >said than done. Also, there are communities of users who have no >need for UTF-8 because they are all happy with a character set like >ISO Latin-5 or a Japanese character set. In such instances, an >implementation MAY override the UTF-8 default by using this header >key. An implementation MAY implement this key and any translations >it cares to; an implementation MAY ignore it and assume all text is >UTF-8. I believe that this part of the specification is a recipe for interoperability desasters of the most interesting kind. First of all, the specification makes no guarantee about the kind of character set used for generating a cleartext signature. This character set MAY be indicated by the Charset header, but it doesn't have to. Implementations MAY also ignore the header. Pretending that this header is not there is not a problem as long as the cleartext's character set is not changed in any way between signature creation and verification. However, this assumption won't hold in reality. Different systems are using different character sets; in order to properly display an e-mail message, you will have to recode it. Just think about the different ways to add the Euro symbol to character sets, or think about using utf-8 for messages. All this is getting particularly bad in the context of cleartext signatures: In this case, people will frequently use cut & paste in order to pass the signature and signed material to the verification service. In order to correctly verify a signature, the verification service would have to re-encode it, and hope that the original signed material is restored. In order to do this, implementations need to know what encoding was used when the original signature was generated. I.e., they will have to generate _and_ respect a Charset header. (Note, however, that re-encodings in a way which assures correct signature verification may not be possible if the encoding for display purposes was lossy. For instance, you cannot recode loss-free between iso-8859-1 and iso-8859-15 in all cases. Both character sets are being used in the European Union, with, it seems, iso-8859-15 gaining momentum.) My suggestion is that we either introduce mandatory rules for the character set issues, or add clear language which indicates that clearsigned signatures impose cnsiderable interoperability risks when used outside closed environments with homogeneous software istallations. - -- Thomas Roessler <roessler@does-not-exist.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iQEVAwUBPLwqltImKUTOasbBAQImrwf/dj5l/XKh2dF6pTvKE9d8+gi4YjV5xRyf bJBa87gCSMaTAz67tDTYsLWifyvvNtjkQTXhJtL4T015fSbQwJwcML1CCBtygIm6 yNaYrsJRjUMr0vzXJT14p0E1ZoETGFzXx13sxZJfad5i6ccrEeveVGZpnabf8QY9 XGNpQSOAeK9yU/jMPFJRRcCpKdE8upOji6Uu+2tT5ZWDul4MpGfM3Ez4CxDFhZo6 zd1oEE9MMbEH30+FGlhkQM/n879E6LX0hz+1QdUHUWX8wQDW/GDSJbbtOYrMeVnX ADfFZnc8SdlN0ue4+5Jp886vu9onqwgx9WdHDGzzJtixb72Vv2UMww== =OpCe -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3GDX9P24245 for ietf-openpgp-bks; Tue, 16 Apr 2002 06:33:09 -0700 (PDT) Received: from hotmail.com (oe65.law3.hotmail.com [209.185.240.81]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3GDX8m24241 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 06:33:08 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Apr 2002 06:32:59 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org> References: <87lmbpkp2h.fsf@alberti.gnupg.de> <p05101569b8e11f70b514@[192.168.1.97]> <20020416071637.GL17287@yoda.does-not-exist.org> Subject: Re: bis04 Date: Tue, 16 Apr 2002 09:31:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <OE65TwQl9G8XHXMH3jC00001d3f@hotmail.com> X-OriginalArrivalTime: 16 Apr 2002 13:32:59.0463 (UTC) FILETIME=[39979D70:01C1E54B] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Thomas Roessler" <roessler@does-not-exist.org> To: "Jon Callas" <jon@callas.org> Cc: "Werner Koch" <wk@gnupg.org>; <ietf-openpgp@imc.org> Sent: Tuesday, April 16, 2002 3:16 AM Subject: Re: bis04 ... > Here's a test - this message is encoded in utf-8, it's clearsigned, > and here is a number of special characters: ⬠ä ö ü æ ç > > Using widespread Windows software, can you find a messaging program > which (1) verifies the signature AND (2) correctly displays the > special characters (Euro symbol, a-umlaut, o-umlaut, u-umlaut, ae > ligature, c-cedilla)? Please tell us. ... could not verify your signature, but could see the special characters, have been able to both verify signatures and display special characters, using the very common OE 5.5 set to allow utf-8 encoding vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt build 7 http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBPLwnP2oFoLeFMG0lAQNOJggAtK746tjFd4J39FpXpbkdjVA66yoJHT5U SU3zscdYdbeDsl91GLn1JG+wYoXQJtrYXPsiBjRRArg0BQh7hRRuvuHKtMUREHpL wH5jucrthi1T1dedgYC6cNkTAnAECoKDR+rxwMxmJRmmXwK1pR1CNH/DuFxkNdJ0 zBhrC53f6zUz+zKm2/jD+KGtBHSbUBp/kjGznk0RAsVynahuzl0vFc9cPRBaZFNu xT/Buy6JtQv5uDrzHaFoQpGex1MY2eNh7gQo2cmwfH6cqgFwJMmnD4wd8vNFOfZT uyGgR05T673wi38TwcFcp9baDm8RRwwJ0YLNapVYNz51W9IE9Embjw== =Yuvv -----END PGP SIGNATURE----- n.b. the above message was done in OE 5.5, displayed the special characters, and verified the signature vedaal Received: by above.proper.com (8.11.6/8.11.3) id g3G7M7502682 for ietf-openpgp-bks; Tue, 16 Apr 2002 00:22:07 -0700 (PDT) Received: from mail.mediacompany.com (postfix@castor.mediacompany.com [195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3G7M5m02677 for <ietf-openpgp@imc.org>; Tue, 16 Apr 2002 00:22:05 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [62.144.252.28]) by mail.mediacompany.com (Postfix) with ESMTP id 1FA6F4803; Tue, 16 Apr 2002 09:21:36 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 0CC992ED13; Tue, 16 Apr 2002 09:16:38 +0200 (CEST) Date: Tue, 16 Apr 2002 09:16:38 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: Jon Callas <jon@callas.org> Cc: Werner Koch <wk@gnupg.org>, ietf-openpgp@imc.org Subject: Re: bis04 Message-ID: <20020416071637.GL17287@yoda.does-not-exist.org> Mail-Followup-To: Jon Callas <jon@callas.org>, Werner Koch <wk@gnupg.org>, ietf-openpgp@imc.org References: <87lmbpkp2h.fsf@alberti.gnupg.de> <p05101569b8e11f70b514@[192.168.1.97]> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <p05101569b8e11f70b514@[192.168.1.97]> User-Agent: Mutt/1.5.0i Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3G7M6m02678 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2002-04-15 17:38:13 -0700, Jon Callas wrote: >The reason I dropped it is because some implementers claim that >base OpenPGP with armoring is deprecated. This is *not* the case. With all due respect, OpenPGP with armoring gets you into all kinds of hell as soon as you want to sign more than just us-ascii text, and as soon as you want to verify the signature on a system different from the one the signature was created on. This is, in particular, the case when users have to feed PGP with a recoded version of the message. Such recoding may be necessary in order to properly display the message to you. Here's a test - this message is encoded in utf-8, it's clearsigned, and here is a number of special characters: ⬠ä ö ü æ ç Using widespread Windows software, can you find a messaging program which (1) verifies the signature AND (2) correctly displays the special characters (Euro symbol, a-umlaut, o-umlaut, u-umlaut, ae ligature, c-cedilla)? Please tell us. >If you can come up with wording that says MIME is great, but so is >armoring, send it and I'll look at it. How about this? Note: A specification for using MIME to encapsulate OpenPGP signed or encrypted messages, and for signing and encrypting complex MIME objects with OpenPGP, can be found in RFC 3156. I'll send a separate message with somewhat more on the character set issues later today. - -- Thomas Roessler <roessler@does-not-exist.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iQEVAwUBPLvP1dImKUTOasbBAQKr6wgAwHjiE9UzYcSvhQjmFyj4Fq34S54UmOKR RrF70Ecuofy77GrLapkqybhMdKlxobrncoTVE3QLnXwhvaaHD+9JIycUeu07h2nI ce1KBZei1CJDq0J8LY81lLAIcrOQFtkporpBKITqNdaN/AUTKOfTD+5pT+D8PWq7 EaAP8ZXyvr4Ydswx1u1cPNM5Y79bZCsmnpaJuwqPSM8XMo6+x8FFS6lKtiZuVazP eoKcE1PF+UU4/hEh/FB3ypivgmykwSIAOJmSaztZr/Rrf8OWaUxodZTL6Y1lz0aJ FoOmlZDEsiUcvw2VOA+Nh5sM+Fc+EcSVm1SGNrQs1V70ZbZJK5yqZw== =LZ1m -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3G0nJN08732 for ietf-openpgp-bks; Mon, 15 Apr 2002 17:49:19 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3G0nHm08728 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 17:49:18 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Mon, 15 Apr 2002 17:49:01 -0700 Mime-Version: 1.0 Message-Id: <p05101569b8e11f70b514@[192.168.1.97]> In-Reply-To: <87lmbpkp2h.fsf@alberti.gnupg.de> References: <87lmbpkp2h.fsf@alberti.gnupg.de> Date: Mon, 15 Apr 2002 17:38:13 -0700 To: Werner Koch <wk@gnupg.org>, ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: bis04 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 4:35 PM +0200 4/15/02, Werner Koch wrote: >Hi! > >Removing this requirement is a bad thing because a reader might get >the impression that PGP/MIME had been consired to be a failed idea. >This is definitely not the case and can't stress enough how important >PGP/MIME is. The fact that some mail clients are not able to support >it is a pitty but not a reason to drop PGP/MIME. > I wrote a grumpy note earlier this year about this issue. The reason I dropped it is because some implementers claim that base OpenPGP with armoring is deprecated. This is *not* the case. I support OpenPGP/MIME. I think it's a great idea. But I am sick of not being able to verify messages because some implementers think that OpenPGP/MIME is the only way to go. I support anyone who puts in MIME encoding as an *option*. It isn't mandatory. The problem is that some people don't understand the difference between SHOULD-implement and SHOULD require all users to use. Our illustrious area directors have gone on long dissertations about the difference between implementing and forcing users to use. If an implementer who politically wants to support the cause of security multiparts chooses to do so, more power to them. But when the implementer responds to people who want to do armoring with, "Hey, don't complain to me, complain to the standards guys who *FORCE* me to do it" (which someone has said to me and other people), then we part company. And since I'm the aforementioned standards guy who allegedly is holding a gun to said developer's head, I can do something about it. I thought long and hard about just the right thing to say that would say "I'm okay, you're okay" and couldn't come up with one. So I thought nothing was the best thing to say. After all, this is the *format* document. It lays out the bits. If an implementer wants to receive 3DES but never emit anything but AES, that's their choice. Similarly, if an implementer wants to always emit OpenPGP/MIME, that's their choice. But I don't want to be holding the bag for either of them. If you can come up with wording that says MIME is great, but so is armoring, send it and I'll look at it. >Thanks for releasing the draft, Jon. You're welcome. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3G0PPA08171 for ietf-openpgp-bks; Mon, 15 Apr 2002 17:25:25 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3G0POm08166 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 17:25:24 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Mon, 15 Apr 2002 17:25:03 -0700 Mime-Version: 1.0 Message-Id: <p05101568b8e11f3ea923@[192.168.1.97]> In-Reply-To: <OFB9BF53B1.45AED99A-ON86256B9C.00584600@kodak.com> References: <OFB9BF53B1.45AED99A-ON86256B9C.00584600@kodak.com> Date: Mon, 15 Apr 2002 17:22:55 -0700 To: john.dlugosz@kodak.com, ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: bis04 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 11:04 AM -0500 4/15/02, john.dlugosz@kodak.com wrote: >From: John Dlugosz > >The date in the headers reads April 15, 2001. Sigh. At least it says it expires in 2002. Sorry about that. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3FIgbV01094 for ietf-openpgp-bks; Mon, 15 Apr 2002 11:42:37 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3FIgam01090 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 11:42:36 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3FIgrd18872 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 14:42:53 -0400 (EDT) Subject: Re: Recipient-verifiable messages To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Mon, 15 Apr 2002 13:42:43 -0500 Message-ID: <OF10D2CE56.511F6EE3-ON86256B9C.006697E9@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/15/2002 02:42:36 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz >> Anyway, both undeniable and designated confirmer signatures are patented by Chaum, so they would probably not be suitable for use in a protocol like OpenPGP. In most cases, I think you can build anything out of anything else (if you allow more round-trips), so a few primitives are all you need. OpenPGP provides public key encryption and ordinary signatures, as well as symetric encryption and HMAC. Those can be used as part of a protocol to do just about anything. A higher standard would say "here is how you use OpenPGP to do email" etc. and specify such a protocol. So, I don't think it is necessary to add any new stuff to PGP, just to use what we have in some new way. --John Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3FGrUD28017 for ietf-openpgp-bks; Mon, 15 Apr 2002 09:53:30 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3FGrTm28012 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 09:53:29 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3FGiPi20120; Mon, 15 Apr 2002 09:44:25 -0700 Date: Mon, 15 Apr 2002 09:44:25 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204151644.g3FGiPi20120@finney.org> To: ietf-openpgp@imc.org, john.dlugosz@kodak.com Subject: Re: Recipient-verifiable messages Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> John Dlugosz writes: > I just noticed this in a book I'm reading. Section 4.3 in "Applied > Cryptography, 2nd ed." by Bruce Schneier is on this exact subject. Actually 4.3 is on Chaum's undeniable signatures, which are not quite the same as what we are talking about. An undeniable signature requires the aid of the signer to verify the signature. If Alice sends an undeniable signature to Bob, he has to then run a protocol with Alice in order to determine if the signature is good or not. We would not want that with PGP, as we don't assume a bidirectional channel exists between signer and verifier. Somewhat closer is section 4.4, the designated confirmer signature, also by Chaum. I seem to recall that this is what he presented to us at the meeting in the PGP offices several years ago. But I don't see that this achieves the goal either. It is basically like an undeniable signature, where a third party is able to replace the signer as the verifier. So Alice could sign a message and send it to Bob, and he could only verify it with Carol's assistance. Maybe the idea was to use the designated confirmer signature, but to make the designated confirmer in this case be Bob himself? Then he could verify the signature all by himself, but no one else could verify it without his help. Hmmm, that doesn't seem quite right, because Alice really doesn't want Bob to be able to verifiably show her signature to a third party, and this use of the designated confirmer signature seems to allow that. So I'm not sure any more exactly what his idea was. Anyway, both undeniable and designated confirmer signatures are patented by Chaum, so they would probably not be suitable for use in a protocol like OpenPGP. Hal Received: by above.proper.com (8.11.6/8.11.3) id g3FG4gG25400 for ietf-openpgp-bks; Mon, 15 Apr 2002 09:04:42 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3FG4dm25394 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 09:04:40 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3FG4ud22014 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 12:04:56 -0400 (EDT) Subject: Re: bis04 To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Mon, 15 Apr 2002 11:04:46 -0500 Message-ID: <OFB9BF53B1.45AED99A-ON86256B9C.00584600@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/15/2002 12:04:39 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz The date in the headers reads April 15, 2001. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3FFVZK20626 for ietf-openpgp-bks; Mon, 15 Apr 2002 08:31:35 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3FFVYm20621 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 08:31:34 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3FFVjd10654 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 11:31:45 -0400 (EDT) Subject: Re: Recipient-verifiable messages To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Mon, 15 Apr 2002 10:31:33 -0500 Message-ID: <OF2FC56D86.BBA83B7B-ON86256B9C.005510C6@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/15/2002 11:31:28 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz I just noticed this in a book I'm reading. Section 4.3 in "Applied Cryptography, 2nd ed." by Bruce Schneier is on this exact subject. --John Received: by above.proper.com (8.11.6/8.11.3) id g3FEZmM19208 for ietf-openpgp-bks; Mon, 15 Apr 2002 07:35:48 -0700 (PDT) Received: from porta.u64.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3FEZjm19204 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 07:35:45 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.32 #1 (Debian)) id 16x8Ja-0003bw-00; Mon, 15 Apr 2002 17:22:46 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.33 #1 (Debian)) id 16x7bM-0007vP-00; Mon, 15 Apr 2002 16:37:04 +0200 To: ietf-openpgp@imc.org Subject: bis04 From: Werner Koch <wk@gnupg.org> X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com X-FSFE-Motto: Omnis enim res, quae dando non deficit, dum habetur et non datur, nondum habetur, quomodo habenda est. X-FSFE-Info: http://fsfeurope.org Organisation: g10 Code GmbH Date: Mon, 15 Apr 2002 16:35:02 +0200 Message-ID: <87lmbpkp2h.fsf@alberti.gnupg.de> Lines: 29 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi! The latest draft dropped a paragraph from 2.4: Note that many applications, particularly messaging applications, will want more advanced features as described in the OpenPGP-MIME document, RFC2015. An application that implements OpenPGP for messaging SHOULD implement OpenPGP-MIME. I might have missed it but I can't remember that we agreed on this. I don't want to repeat the pros and cons here as we discussed this far too often. Removing this requirement is a bad thing because a reader might get the impression that PGP/MIME had been consired to be a failed idea. This is definitely not the case and can't stress enough how important PGP/MIME is. The fact that some mail clients are not able to support it is a pitty but not a reason to drop PGP/MIME. U.S. centric programmers didn't care about 8 bit cleanness for many many years and users all over the rest of the world had to suffer with this problem. Don't let this happen again by suggesting the use of PGP-armor. Thanks for releasing the draft, Jon. Werner Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3FBTId14730 for ietf-openpgp-bks; Mon, 15 Apr 2002 04:29:18 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3FBTHm14726 for <ietf-openpgp@imc.org>; Mon, 15 Apr 2002 04:29:18 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA13009; Mon, 15 Apr 2002 07:29:16 -0400 (EDT) Message-Id: <200204151129.HAA13009@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-openpgp@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-openpgp-rfc2440bis-04.txt Date: Mon, 15 Apr 2002 07:29:15 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the An Open Specification for Pretty Good Privacy Working Group of the IETF. Title : OpenPGP Message Format Author(s) : J. Callas, L. Donnerhacke, H. Finney, R. Thayer Filename : draft-ietf-openpgp-rfc2440bis-04.txt Pages : 70 Date : 12-Apr-02 This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-04.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-openpgp-rfc2440bis-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20020412140456.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-openpgp-rfc2440bis-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20020412140456.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: by above.proper.com (8.11.6/8.11.3) id g3E4bwK16725 for ietf-openpgp-bks; Sat, 13 Apr 2002 21:37:58 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3E4bvm16721 for <ietf-openpgp@imc.org>; Sat, 13 Apr 2002 21:37:57 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3E4SrZ17559; Sat, 13 Apr 2002 21:28:53 -0700 Date: Sat, 13 Apr 2002 21:28:53 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204140428.g3E4SrZ17559@finney.org> To: ietf-openpgp@imc.org, jkane89@softhome.net Subject: Re: quasi-deniable signing Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> John Kane writes: > Call me silly, but I don't think the OpenPGP protocol really > needs either of these modes as part of the standard. Why is that? What do you think of the argument that in most cases (aside from public postings), this is the kind of signature that you would actually prefer? It lets your recipient verify that you sent it, but keeps you from being possibly hurt by having your signed message shown to someone else. Hal Finney Received: by above.proper.com (8.11.6/8.11.3) id g3DK1GV07289 for ietf-openpgp-bks; Sat, 13 Apr 2002 13:01:16 -0700 (PDT) Received: from softhome.net (jive.SoftHome.net [66.54.152.27]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3DK1Fm07285 for <ietf-openpgp@imc.org>; Sat, 13 Apr 2002 13:01:15 -0700 (PDT) Received: from softhome.net ([209.6.136.254]) (AUTH: PLAIN jkane89@softhome.net) by softhome.net with esmtp; Sat, 13 Apr 2002 14:01:00 -0600 Message-ID: <3CB847D5.5065E309@softhome.net> Date: Sat, 13 Apr 2002 10:59:33 -0400 From: John Kane <jkane89@softhome.net> X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: quasi-deniable signing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Think of the MAC scheme as one example of a 'volatile' sig. It might be a little easier to follow in this variant: Suppose someone anonymously publishes symmetric_encrypt( K, msg ) [K is a session key] encrypt_Bob( sign_Alice( encrypt_Bob(K) )) Then Bob 'knows' that only he and Alice initially have K, and since K decrypts the message, Alice is the only one who could have encrypted it. Bob can disclose 'msg' to others, and can disclose K to demonstrate that he was a recipient of the anonymously-posted message, but that's it. Unless Bob reveals his private decryption key, he can't prove that Alice had any knowledge of K, or of 'msg'. Even if he does that, he can only show Alice sent him K, and it might have been Bob himself who 'forged' sym(K,msg). The essence of this scheme is that Alice never signs anything derived from the message content, and only authenticates a shared secret. Anyone can generate sym(K,msg), and the signature is not bound to the message. (Alice can't send a message with sign_Alice(encrypt_EVE(K)) and sign_Alice(encrypt_Bob(K)) safely, because it allows Eve to forge sym( K, msg-2 ), intercept Bob's copy of the message, and impersonate Alice. This scheme's not appropriate for general multiple-recipient situations.) ** ** ** In the other 1-of-N "how to leak a secret" scheme, Alice needs N-1 other people's public keys to *generate* the signature, but the resulting signature is public and can be verified at any time by any person who knows the N public keys. Applying the N public keys to the N-part signature gives the hash of the message, so the signature is bound to the message in the normal non-volatile way. Call me silly, but I don't think the OpenPGP protocol really needs either of these modes as part of the standard. Received: by above.proper.com (8.11.6/8.11.3) id g3CMiXm25718 for ietf-openpgp-bks; Fri, 12 Apr 2002 15:44:33 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3CMiUm25714 for <ietf-openpgp@imc.org>; Fri, 12 Apr 2002 15:44:30 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id g3CMhrX18609 for <ietf-openpgp@imc.org>; Fri, 12 Apr 2002 18:43:53 -0400 (EDT) Message-ID: <200204122243.g3CMhrL18605@stingray.missi.ncsc.mil> Date: Fri, 12 Apr 2002 18:44:58 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Recipient-verifiable messages References: <200204111545.g3BFjdw11622@finney.org> <p0510153cb8dbc0a982fc@[192.168.1.97]> <200204120005.g3C05VL13758@stingray.missi.ncsc.mil> <p0510153fb8dbd86e1539@[192.168.1.97]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-H-S-Loop-Check-Ejzfr: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > The obvious difference is this: > > If the shared secret (shared by, say, Alice and Bob) used to generate a MAC > is leaked -- suppose Charlie learns it -- then anyone, Alice, Bob, or > Charlie can rewrite the MAC undetectably. > > On the other hand if Alice generates one of these signatures and sends it > to Bob, a third party, Teresa can verify the signature but: > > * not be able to create one of her own and > * cannot tell from the signature itself whether Alice or Bob made it. > > I'm not sure how useful it is in the real world, but it's a fascinating thing. > > I could sign a message to this list combining a dozen keys and thus create > a presumption that I made it without explicit demonstration of it. Thanks, Jon. I'm still missing something though. If the algorithm requires 1 private key and n-1 public keys to verify (so that only the recipients can verify it), then Teresa, not being a recipient of the original encrypted message but having a forwarded copy of the decrypt, would not be able to verify it. Thus by elimination you are talking about an algorithm that requires n public keys to verify, and anyone can verify that one of n people generated it without being able to tell which one. "Recipient-verifiable" seems like a misnomer for something that recipients and not-recipients alike can verify. Now assume that Alice gives something to Charlie, or a bug in her software allows him to steal it. Your job is to figure out whether Charlie got hold of Alice's private key or the shared secret that Alice derived from her private key and Bob's public key. There are two possible algorithms: a "signature-algorithm-that-is-not-a-MAC" that Teresa can verify, and a MAC function whose key input is derived from Alice's private key and n-1 public keys. What is the difference between those two algorithms with respect to what they tell you about what Charlie got from Alice? (Or what they tell you about any other question you care to ask?) In other words, the algorithm is a black box. You can't see it, you can only see the g'zoutas and you can do whatever you want with the g'zintas. Does the algorithm use a MAC or not? If it walks like a MAC and it quacks like a MAC, then ... Received: by above.proper.com (8.11.6/8.11.3) id g3C0cGu29418 for ietf-openpgp-bks; Thu, 11 Apr 2002 17:38:16 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3C0cEm29413 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 17:38:14 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Thu, 11 Apr 2002 17:38:05 -0700 Mime-Version: 1.0 Message-Id: <p0510153fb8dbd86e1539@[192.168.1.97]> In-Reply-To: <200204120005.g3C05VL13758@stingray.missi.ncsc.mil> References: <200204111545.g3BFjdw11622@finney.org> <p0510153cb8dbc0a982fc@[192.168.1.97]> <200204120005.g3C05VL13758@stingray.missi.ncsc.mil> Date: Thu, 11 Apr 2002 17:29:42 -0700 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Jon Callas <jon@callas.org> Subject: Re: Recipient-verifiable messages Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 8:06 PM -0400 4/11/02, David P. Kemp wrote: >What is the difference between a "recipient-verifiable signature" and >a MAC? > >One of the properties of a digital signature mechanism is that it >is computationally infeasible for any entity other than the signer >to find, for any message, a signature value that is valid for that >message. [HAC, p.23] > >Thus it would seem that a "signature" that can't be bound later >to the signer is an oxymoron. Why not just call it an authentication >code, where it is accepted that anyone who can verify a MAC has >the information necessary to create it. The obvious difference is this: If the shared secret (shared by, say, Alice and Bob) used to generate a MAC is leaked -- suppose Charlie learns it -- then anyone, Alice, Bob, or Charlie can rewrite the MAC undetectably. On the other hand if Alice generates one of these signatures and sends it to Bob, a third party, Teresa can verify the signature but: * not be able to create one of her own and * cannot tell from the signature itself whether Alice or Bob made it. I'm not sure how useful it is in the real world, but it's a fascinating thing. I could sign a message to this list combining a dozen keys and thus create a presumption that I made it without explicit demonstration of it. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3C064k28643 for ietf-openpgp-bks; Thu, 11 Apr 2002 17:06:04 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3C063m28638 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 17:06:03 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id g3C05Ws13763 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 20:05:32 -0400 (EDT) Message-ID: <200204120005.g3C05VL13758@stingray.missi.ncsc.mil> Date: Thu, 11 Apr 2002 20:06:33 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 CC: ietf-openpgp@imc.org Subject: Re: Recipient-verifiable messages References: <200204111545.g3BFjdw11622@finney.org> <p0510153cb8dbc0a982fc@[192.168.1.97]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-H-S-Loop-Check-Ejzfr: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > > >David Chaum has a patent on a variation on this idea, and he gave a talk > >at PGP several years ago in which he advocated that recipient-verifiable > >signatures are very useful, and in fact ought to be the default for > >an email encryption system like PGP. As others in this thread have > >commented, often you don't want to sign something such that you can > >be bound by it later, but you do want to assure the recipient that the > >message is authentic. Only rarely do you want to make a signature that > >anyone can read. > > > >Unfortunately I think that adding a new flavor of signature would tend > >to create confusion among users who at best barely understand public > >key cryptography. The new kind of signature would have very different > >security properties and usage scenarios, so it would add additional > >complexity for people to deal with. > > Could we do something both simple and useful, however? > > For example, if I send a message to Alice, the signature could be made > safely as a combo of my key and Alice's key. It would not be a > misrepresentation in Alice's MUA for it to assume I signed it. You'd have > to be careful in the UI, but I think it could be done. It might be able to > be extended to multiple recipients, but with two it might be an easy > hand-wave. What is the difference between a "recipient-verifiable signature" and a MAC? One of the properties of a digital signature mechanism is that it is computationally infeasible for any entity other than the signer to find, for any message, a signature value that is valid for that message. [HAC, p.23] Thus it would seem that a "signature" that can't be bound later to the signer is an oxymoron. Why not just call it an authentication code, where it is accepted that anyone who can verify a MAC has the information necessary to create it. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3BMiVO25692 for ietf-openpgp-bks; Thu, 11 Apr 2002 15:44:31 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3BMiUm25688 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 15:44:30 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Thu, 11 Apr 2002 15:44:17 -0700 Mime-Version: 1.0 Message-Id: <p0510153cb8dbc0a982fc@[192.168.1.97]> In-Reply-To: <200204111545.g3BFjdw11622@finney.org> References: <200204111545.g3BFjdw11622@finney.org> Date: Thu, 11 Apr 2002 15:42:02 -0700 To: "Hal Finney" <hal@finney.org>, ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: Recipient-verifiable messages Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> >David Chaum has a patent on a variation on this idea, and he gave a talk >at PGP several years ago in which he advocated that recipient-verifiable >signatures are very useful, and in fact ought to be the default for >an email encryption system like PGP. As others in this thread have >commented, often you don't want to sign something such that you can >be bound by it later, but you do want to assure the recipient that the >message is authentic. Only rarely do you want to make a signature that >anyone can read. > >Unfortunately I think that adding a new flavor of signature would tend >to create confusion among users who at best barely understand public >key cryptography. The new kind of signature would have very different >security properties and usage scenarios, so it would add additional >complexity for people to deal with. Could we do something both simple and useful, however? For example, if I send a message to Alice, the signature could be made safely as a combo of my key and Alice's key. It would not be a misrepresentation in Alice's MUA for it to assume I signed it. You'd have to be careful in the UI, but I think it could be done. It might be able to be extended to multiple recipients, but with two it might be an easy hand-wave. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3BMAiL24218 for ietf-openpgp-bks; Thu, 11 Apr 2002 15:10:44 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3BMAhm24214 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 15:10:43 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3BMAvp03166; Thu, 11 Apr 2002 18:10:57 -0400 (EDT) Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless To: vedaal@hotmail.com Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Thu, 11 Apr 2002 17:10:47 -0500 Message-ID: <OF2E748184.20F21452-ON86256B98.00799575@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/11/2002 06:10:41 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz Vedaal writes, "no new signature type is needed. this can be done now with a split key setup, for either an RSA or DH key:" I think this would work without the split feature. For example, when I enter into a conspiracy with Bob, I make a new signing key for the purpose. Send Bob the key including the private half (export it, and note the passphrase in the message). Encrypt that TO Bob and send it to him, and also post it somewhere in public so Bob can't say he never got it. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3BM1rF23904 for ietf-openpgp-bks; Thu, 11 Apr 2002 15:01:53 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3BM1qm23900 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 15:01:52 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3BM25p01639; Thu, 11 Apr 2002 18:02:05 -0400 (EDT) Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless To: vedaal@hotmail.com Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Thu, 11 Apr 2002 17:01:57 -0500 Message-ID: <OF4880F824.3763FAE2-ON86256B98.0078D941@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/11/2002 06:01:50 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz Beautiful. A split isn't necessary, though. Just make a key and have the private part known to both. "vedaal" <vedaal@hotmail.com>@mail.imc.org on 04-11-2002 03:43:56 PM Sent by: owner-ietf-openpgp@mail.imc.org To: <ietf-openpgp@imc.org> cc: Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless ----- Original Message ----- From: "Hal Finney" <hal@finney.org> To: <ietf-openpgp@imc.org> Sent: Thursday, April 11, 2002 11:45 AM Subject: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless ... > I proposed a different method, which basic idea is expressed in a paper > by Rivest, Shamir and Tauman, "How to Leak a Secret", available from > http://theory.lcs.mit.edu:80/~rivest/publications.html. This paper shows > how to produce a signature which can be verified to be from a specific > list of keys, but you can't tell which key on the list made the signature. > It is very simple and efficient for RSA keys. I think extensions are > possible for discrete log keys, but the paper doesn't cover that. > > For the recipient-verifiable signature, Alice would create one of these > multiple-signer signatures based on exactly two keys, Bob's and hers. > Anyone can verify that the resulting message has been signed by Alice or > Bob, but there is no way to tell which. Alice then sends the message > to Bob. He knows that he didn't sign it, so it must have been Alice. > But if he shows it to someone else, all they can see is that either > Bob or Alice signed it, so Bob could have created a signature like this > for any message he wanted. Again there is no way for Bob to show the > message convincingly to a third party, and Alice is protected. ... > Unfortunately I think that adding a new flavor of signature would tend > to create confusion among users who at best barely understand public > key cryptography. The new kind of signature would have very different > security properties and usage scenarios, so it would add additional > complexity for people to deal with. ... no new signature type is needed. this can be done now with a split key setup, for either an RSA or DH key: Alice or Bob produces a new key 'Alice&Bob' the share is set for 1, and the 'Alice&Bob' key is split with a share to Alice's key, and a share to Bob's key, either Alice or Bob can now sign with the 'Alice&Bob' key, without anyone being able to detect whether it was Alice or Bob, and it will verify as a good signature from the 'Alice&Bob' key. the 'Alice&Bob' split key can be imported into gnupg and the signatures verified, but gnupg cannot (yet) rejoin, sign or decrypt with a split shared system if this is worthwhile/necessary, perhaps it could be considered for addition to the gnupg system. hth, vedaal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3BKuhN21961 for ietf-openpgp-bks; Thu, 11 Apr 2002 13:56:43 -0700 (PDT) Received: from hotmail.com (oe17.law3.hotmail.com [209.185.240.121]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3BKugm21954 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 13:56:42 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 11 Apr 2002 13:45:32 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org> References: <200204111545.g3BFjdw11622@finney.org> Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Date: Thu, 11 Apr 2002 16:43:56 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <OE17NY30kkZIhTrBoe20000072b@hotmail.com> X-OriginalArrivalTime: 11 Apr 2002 20:45:32.0196 (UTC) FILETIME=[D28FA640:01C1E199] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> ----- Original Message ----- From: "Hal Finney" <hal@finney.org> To: <ietf-openpgp@imc.org> Sent: Thursday, April 11, 2002 11:45 AM Subject: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless ... > I proposed a different method, which basic idea is expressed in a paper > by Rivest, Shamir and Tauman, "How to Leak a Secret", available from > http://theory.lcs.mit.edu:80/~rivest/publications.html. This paper shows > how to produce a signature which can be verified to be from a specific > list of keys, but you can't tell which key on the list made the signature. > It is very simple and efficient for RSA keys. I think extensions are > possible for discrete log keys, but the paper doesn't cover that. > > For the recipient-verifiable signature, Alice would create one of these > multiple-signer signatures based on exactly two keys, Bob's and hers. > Anyone can verify that the resulting message has been signed by Alice or > Bob, but there is no way to tell which. Alice then sends the message > to Bob. He knows that he didn't sign it, so it must have been Alice. > But if he shows it to someone else, all they can see is that either > Bob or Alice signed it, so Bob could have created a signature like this > for any message he wanted. Again there is no way for Bob to show the > message convincingly to a third party, and Alice is protected. ... > Unfortunately I think that adding a new flavor of signature would tend > to create confusion among users who at best barely understand public > key cryptography. The new kind of signature would have very different > security properties and usage scenarios, so it would add additional > complexity for people to deal with. ... no new signature type is needed. this can be done now with a split key setup, for either an RSA or DH key: Alice or Bob produces a new key 'Alice&Bob' the share is set for 1, and the 'Alice&Bob' key is split with a share to Alice's key, and a share to Bob's key, either Alice or Bob can now sign with the 'Alice&Bob' key, without anyone being able to detect whether it was Alice or Bob, and it will verify as a good signature from the 'Alice&Bob' key. the 'Alice&Bob' split key can be imported into gnupg and the signatures verified, but gnupg cannot (yet) rejoin, sign or decrypt with a split shared system if this is worthwhile/necessary, perhaps it could be considered for addition to the gnupg system. hth, vedaal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3BFsm205586 for ietf-openpgp-bks; Thu, 11 Apr 2002 08:54:48 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3BFslm05579 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 08:54:47 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g3BFjdw11622 for ietf-openpgp@imc.org; Thu, 11 Apr 2002 08:45:39 -0700 Date: Thu, 11 Apr 2002 08:45:39 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204111545.g3BFjdw11622@finney.org> To: ietf-openpgp@imc.org Subject: Recipient-verifiable messages, was: forwarding an encrypted PGP message is useless Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> [Redirected to just OpenPGP list. I guess this was a Mozilla bug discussion that someone copied here?] Sam Roberts <sroberts@uniserve.com> writes: > S/MIME only uses the signed and enveloped types from CMS, but RFC2630 > specifies authenticated as well. Its not well described there, but it is a > way of "signing" something using a key agreement algorithm, such that the > signature can ONLY be verified by using the sender or the receiver's > private key. I haven't read this RFC, but I had a long discussion with Wei Dai last year about ways to do this within the OpenPGP framework. We came up with a couple of ideas. These might be called "recipient-verifiable" signed messages, to distinguish them from the regular PGP signed messages which are "world-verifiable". The general approach is to make the message such that the recipient could "forge" fake messages from the sender that look legitimate to third parties. This prevents the real message from being shown around in a convincing way. Wei suggested that the recipient-verifiable message from Alice to Bob could be as follows: Sign_Alice( Encrypt_Bob( K ) ), MAC_K( Msg ), Msg. The idea is that Alice chooses a MAC key K, encrypts it to Bob and then signs the encrypted packet. She sends this, along with the MAC'd message, to Bob. Bob can recover K from the encrypted packet, verifying the signature by Alice on that packet, and then verify the MAC. But if Bob shows this to someone else, although he may be able to convince them that K was signed by Alice, he can't show that Msg is what she sent. Given K, Bob could have MAC'd any message with that K and replaced Msg with that. So there is no evidence that Msg is what Alice actually signed, hence she is not bound by it. A subtlety is that if you did Encrypt_Bob( Sign_Alice( K ) ) instead, this would let Bob remove his encryption envelope and then re-encrypt for someone else, making them think that Alice had directed the message to them and letting them verify the signature. So the reverse ordering is important. I proposed a different method, which basic idea is expressed in a paper by Rivest, Shamir and Tauman, "How to Leak a Secret", available from http://theory.lcs.mit.edu:80/~rivest/publications.html. This paper shows how to produce a signature which can be verified to be from a specific list of keys, but you can't tell which key on the list made the signature. It is very simple and efficient for RSA keys. I think extensions are possible for discrete log keys, but the paper doesn't cover that. For the recipient-verifiable signature, Alice would create one of these multiple-signer signatures based on exactly two keys, Bob's and hers. Anyone can verify that the resulting message has been signed by Alice or Bob, but there is no way to tell which. Alice then sends the message to Bob. He knows that he didn't sign it, so it must have been Alice. But if he shows it to someone else, all they can see is that either Bob or Alice signed it, so Bob could have created a signature like this for any message he wanted. Again there is no way for Bob to show the message convincingly to a third party, and Alice is protected. David Chaum has a patent on a variation on this idea, and he gave a talk at PGP several years ago in which he advocated that recipient-verifiable signatures are very useful, and in fact ought to be the default for an email encryption system like PGP. As others in this thread have commented, often you don't want to sign something such that you can be bound by it later, but you do want to assure the recipient that the message is authentic. Only rarely do you want to make a signature that anyone can read. Unfortunately I think that adding a new flavor of signature would tend to create confusion among users who at best barely understand public key cryptography. The new kind of signature would have very different security properties and usage scenarios, so it would add additional complexity for people to deal with. Hal Received: by above.proper.com (8.11.6/8.11.3) id g3B6Nko15707 for ietf-openpgp-bks; Wed, 10 Apr 2002 23:23:46 -0700 (PDT) Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3B6Ngm15681; Wed, 10 Apr 2002 23:23:43 -0700 (PDT) Received: from ruru.cs.auckland.ac.nz (ruru-nfs.cs.auckland.ac.nz [130.216.35.12]) by hermes.cs.auckland.ac.nz (8.12.2/8.12.2) with ESMTP id g3B6NaXv017048; Thu, 11 Apr 2002 18:23:36 +1200 Received: (from pgut001@localhost) by ruru.cs.auckland.ac.nz (8.9.3/8.8.6/cs-slave) id SAA409290; Thu, 11 Apr 2002 18:23:34 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Date: Thu, 11 Apr 2002 18:23:34 +1200 (NZST) Message-ID: <200204110623.SAA409290@ruru.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-822@imc.org, sroberts@uniserve.com Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Cc: ietf-openpgp@imc.org, john.dlugosz@kodak.com, kmail@kde.org, mutz@kde.org, shields@passport.ca Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Sam Roberts <sroberts@uniserve.com> writes: >S/MIME only uses the signed and enveloped types from CMS, but RFC2630 >specifies authenticated as well. Its not well described there, but it is a >way of "signing" something using a key agreement algorithm, such that the >signature can ONLY be verified by using the sender or the receiver's >private key. Hmm, are you sure you're not interpreting a bit too much into this data type? The intent is to allow MAC'ing of data, and to do that you need to share a key with the other side, which is why you need a key exchange to precede it. One of those happens to be X9.42. There are two issues with this: 1. The only implementation which is known to support X9.42 in any useful manner is the SFL. 2. There don't seem to be any implementations which support authenticatedData, or at least that was the case when I asked on the S/MIME list a while back for someone to do some interop testing with. (Oh, and the obvious third point: If you're doing a PKC operation for the key exchange anyway, you may as well just sign the thing directly. At best, you can claim that this gives you a signature capability using an encryption-only key). I've always seen the only real use for this data type as password- based integrity protection for data you're carrying around, using in conjunction with passwordRecipientInfo. >What this gives you is repudiation. If I authenticate something to >you, you know I authenticated it. But if you forward it somebody >else, they can't verify the signature, they have no way of knowing >for sure that I authenticated it, and I can deny it. Even if the >recipients private key is compromised, they still can't prove >that *I* authenticated it, since either one of us can create the >"signature", all they know is one of us made the authenticated data. Well, only if you use some of the obscure X9.42 options which don't identify sender and receiver. The default is to list both, although there are a pile of optional parameters and with only one known implementation who knows what will happen in real life. Peter. Received: by above.proper.com (8.11.6/8.11.3) id g3B6Ei814141 for ietf-openpgp-bks; Wed, 10 Apr 2002 23:14:44 -0700 (PDT) Received: from mailout07.sul.t-online.com (mailout07.sul.t-online.com [194.25.134.83]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3B6ENm14038; Wed, 10 Apr 2002 23:14:23 -0700 (PDT) Received: from fwd04.sul.t-online.de by mailout07.sul.t-online.com with smtp id 16vXfO-0004FD-07; Thu, 11 Apr 2002 08:02:42 +0200 Received: from webclient (510028335386-0001@[217.84.21.219]) by fmrl04.sul.t-online.com with esmtp id 16vXfH-28b9BQC; Thu, 11 Apr 2002 08:02:35 +0200 Content-Type: text/plain; charset="iso-8859-15" From: Volker Augustin <volker.augustin@perfektionismus.de> To: kmail@mail.kde.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Date: Thu, 11 Apr 2002 06:58:04 +0200 X-Mailer: KMail [version 1.4.5] Cc: ietf-822@imc.org, ietf-openpgp@imc.org References: <200204110134.g3B1YTZ03240@astro.cs.utk.edu> In-Reply-To: <200204110134.g3B1YTZ03240@astro.cs.utk.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200204110658.04835.volker.augustin@perfektionismus.de> X-Sender: 510028335386-0001@t-dialin.net Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Am Thursday 11 April 2002 03:34:03 schrieb Keith Moore > > But - for me - replying should only go back to the original sender and > > not to someone else. > > I don't think you'll find much widespread support for that view. > There are too many real world cases where you want to change the > set of recipients to whom a reply is sent. Of course not. The point was only that the name of an action describes a "general" action contract, i.e. in case of the "Reply To" you expect that you can reply to a message. You would be badly shaken if you could only reply to the sender. The same should be true for forwarding. The general action contract is to forward something you received to someone else. It should be up to the person who is forwarding to decide whether to forward the whole message or only parts of it. Volker Augustin Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3B2xs505631 for ietf-openpgp-bks; Wed, 10 Apr 2002 19:59:54 -0700 (PDT) Received: from tomts11-srv.bellnexxia.net (tomts11.bellnexxia.net [209.226.175.55]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3B2xdm05618; Wed, 10 Apr 2002 19:59:39 -0700 (PDT) Received: from localhost ([64.229.86.40]) by tomts11-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP id <20020411025942.CYEQ10141.tomts11-srv.bellnexxia.net@localhost>; Wed, 10 Apr 2002 22:59:42 -0400 Received: (nullmailer pid 453824565 invoked by uid 100); Thu, 11 Apr 2002 02:59:01 -0000 Date: Wed, 10 Apr 2002 22:59:01 -0400 From: Sam Roberts <sroberts@uniserve.com> To: ietf-822@imc.org Cc: Paul Shields <shields@passport.ca>, ietf-openpgp@imc.org, john.dlugosz@kodak.com, mutz@kde.org, kmail@kde.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Message-ID: <20020410225900.B442736687@localhost> Mail-Followup-To: ietf-822@imc.org, Paul Shields <shields@passport.ca>, ietf-openpgp@imc.org, john.dlugosz@kodak.com, mutz@kde.org, kmail@kde.org References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> <3CB45042.2F672361@passport.ca> <20020410160651.GD30779@yoda.does-not-exist.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.16i In-Reply-To: <20020410160651.GD30779@yoda.does-not-exist.org>; from roessler@does-not-exist.org on Wed, Apr 10, 2002 at 06:06:51PM +0200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> There actually is a cryptographically sound technique that helps here, I was talking about it with a cryptographer at work last week while reading RFC 2630, and not getting the difference between authenticated and signed data. S/MIME only uses the signed and enveloped types from CMS, but RFC2630 specifies authenticated as well. Its not well described there, but it is a way of "signing" something using a key agreement algorithm, such that the signature can ONLY be verified by using the sender or the receiver's private key. Now, since the receiver knows he didn't authenticate it, he knows the sender must have. What this gives you is repudiation. If I authenticate something to you, you know I authenticated it. But if you forward it somebody else, they can't verify the signature, they have no way of knowing for sure that I authenticated it, and I can deny it. Even if the recipients private key is compromised, they still can't prove that *I* authenticated it, since either one of us can create the "signature", all they know is one of us made the authenticated data. I hope my explanation was clear, its easier on a white board! This CMS authenticated data is only possible with key agreement algorithms, i.e., you can't do it with RSA. I could be wrong about it not being a defined payload for S/MIME, but I don't think so. Too bad. It also has a very odd "feature" or "bug" when you authenticate the same content to multiple receivers in the CMS message. I'll explain if anybody is interested. Sam Quoteing roessler@does-not-exist.org, on Wed, Apr 10, 2002 at 06:06:51PM +0200: > On 2002-04-10 10:46:26 -0400, Paul Shields wrote: > > >Should we have a selectable option on sign-encrypt that specifies > >that the signature must be removed from the plaintext after > >verifying it? > > What, precisely, prevents the recipient's implementation from > ignoring that flag? > > In the suggestions circulated in this thread, some folks are making > the same basic design error all over the place: You want to place > trust in software which is under the complete control of an > individual you don't trust. Don't do it. It's impossible. > > The features which are being suggested _may_ help against > unintentional errors the recipient may make (like, storing, by > accident, the wrong love letters on the wrong hard drive, which [I > seem to recall] was the original reasoning behind the "for your eyes > only" [or whatever it was called] function of pgp 2). > > They don't, however, help against malicious behavior on the > recipient's side. > > -- > Thomas Roessler <roessler@does-not-exist.org> -- Sam Roberts <sroberts@uniserve.com> (Vivez sans temps mort!) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3B1YWw03755 for ietf-openpgp-bks; Wed, 10 Apr 2002 18:34:32 -0700 (PDT) Received: from astro.cs.utk.edu (astro.cs.utk.edu [160.36.58.43]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3B1YUm03751; Wed, 10 Apr 2002 18:34:30 -0700 (PDT) Received: from astro.cs.utk.edu (localhost [127.0.0.1]) by astro.cs.utk.edu (cf 8.9.3) with ESMTP id g3B1YTZ03240; Wed, 10 Apr 2002 21:34:29 -0400 (EDT) Message-Id: <200204110134.g3B1YTZ03240@astro.cs.utk.edu> X-URI: http://www.cs.utk.edu/~moore/ From: Keith Moore <moore@cs.utk.edu> To: Volker Augustin <volker.augustin@perfektionismus.de> cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless In-reply-to: (Your message of "Wed, 10 Apr 2002 21:56:52 +0200.") <200204102156.52449.volker.augustin@perfektionismus.de> Date: Wed, 10 Apr 2002 21:34:28 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > But - for me - replying should only go back to the original sender and not > to someone else. I don't think you'll find much widespread support for that view. There are too many real world cases where you want to change the set of recipients to whom a reply is sent. Received: by above.proper.com (8.11.6/8.11.3) id g3AL8gn23268 for ietf-openpgp-bks; Wed, 10 Apr 2002 14:08:42 -0700 (PDT) Received: from mailout01.sul.t-online.com (mailout01.sul.t-online.com [194.25.134.80]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AL8Rm23251; Wed, 10 Apr 2002 14:08:27 -0700 (PDT) Received: from fwd11.sul.t-online.de by mailout01.sul.t-online.com with smtp id 16vPDd-0007SL-0B; Wed, 10 Apr 2002 23:01:29 +0200 Received: from webclient (510028335386-0001@[217.229.169.32]) by fmrl11.sul.t-online.com with esmtp id 16vPDU-0BKIuOC; Wed, 10 Apr 2002 23:01:20 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Volker Augustin <volker.augustin@perfektionismus.de> Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Date: Wed, 10 Apr 2002 21:56:52 +0200 X-Mailer: KMail [version 1.4.5] To: kmail@kde.org Cc: ietf-822@imc.org, ietf-openpgp@imc.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200204102156.52449.volker.augustin@perfektionismus.de> X-Sender: 510028335386-0001@t-dialin.net Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > Why I am sceptic about allowing forwarding formerly encrypted mails > unencryptedly or after re-encryption is that - for me - forwarding > shouldn't change the original message. As we already saw different people associate different actions with "forward". > If you want to change the message, reply to it and edit the recipients. But - for me - replying should only go back to the original sender and not to someone else. So, from my point of view you should not even be able to change the recipient field after selecting the reply action. Different people, different views again. > If you forward, you actually want to annotate the original message with > a few lines of notes, then send the stuff on the the recipient, much like > sticking these yellow post-it strips to a folder and write "you do that!" > on them before telling the secretary to carry it to the next room. Actually, in your interpretation you would stick the folder in a box with a padlock for which you know that the recipient does not have a key, then tell the secretary to carry it to the next room. IMO there need to be two different forward actions. Actually we already have them: Forward and Forward as Attachment. Their interpretation should be applied only to the content and not the envelope. The encryption is the en- velope here, but the signature belongs to the content. Of course you could name them "Forward annotated" and "Forward" instead. Volker Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AJsH819320 for ietf-openpgp-bks; Wed, 10 Apr 2002 12:54:17 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AJsGm19313 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 12:54:16 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3AJsQg15412 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 15:54:26 -0400 (EDT) Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Wed, 10 Apr 2002 14:54:17 -0500 Message-ID: <OF15569B6F.F316C1F9-ON86256B97.006D113F@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/10/2002 03:54:12 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz Here's another way to make sure that someone doesn't strip away the encryption envelope but leave the signature and forward the signed document: By analogy with the "Dear Sue" content to prevent authenticated message re-use, you can do this on the application level. Include in the signed text a statement that the intended recipient still wants to keep secret. now he will have to excerpt the main message of interest (and lose your signature) or act against his own interest, which may be different from the interest context of the main message. --John Received: by above.proper.com (8.11.6/8.11.3) id g3AJEYn15299 for ietf-openpgp-bks; Wed, 10 Apr 2002 12:14:34 -0700 (PDT) Received: from c000.snv.cp.net (h008.c000.snv.cp.net [209.228.32.72]) by above.proper.com (8.11.6/8.11.3) with SMTP id g3AJEVm15290 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 12:14:31 -0700 (PDT) Received: (cpmta 15184 invoked from network); 10 Apr 2002 12:14:22 -0700 Received: from 217.82.85.10 (HELO dirichlet.mathematik.uni-bielefeld.de) by smtp.mutz.com (209.228.32.72) with SMTP; 10 Apr 2002 12:14:22 -0700 X-Sent: 10 Apr 2002 19:14:22 GMT Content-Type: text/plain; charset="us-ascii" From: Marc Mutz <mutz@kde.org> Organization: KDE To: Marcel Waldvogel <marcel@news.m.wanda.ch> Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Date: Wed, 10 Apr 2002 21:12:39 +0200 User-Agent: KMail/1.4.5 Cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org References: <200204091947.03266@sendmail.mutz.com> <200204101933.19409@sendmail.mutz.com> <3CB486FA.3000404@news.m.wanda.ch> In-Reply-To: <3CB486FA.3000404@news.m.wanda.ch> X-PGP-Key: 0xBDBFE838 MIME-Version: 1.0 Message-Id: <200204102112.41088@sendmail.mutz.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3AJEVm15292 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 10 April 2002 20:39, Marcel Waldvogel wrote: <snip> > I like bringing up the secretary/post-it metaphor. But assume the letter > was encrypted, or, in "real-world terms", written in Suaheli, a language > which nobody else in your office speaks. Putting a "you do that!" > post-it on the letter won't be useful to your secretary, <snip> You don't know my boss. He recently forwarded me a Windows Virus infected mail because he couldn't print the attachment (a audio/x-wav labelled .doc.pif file). Thank God he works under Linux ;-) Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tI6o3oWD+L2/6DgRAilsAJ0ZtnjNIwBOWy+tOsrdN/Px8aYthQCgl196 +Dmz7BVnC1/dwgseUWxXdyg= =tomX -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AICUR12636 for ietf-openpgp-bks; Wed, 10 Apr 2002 11:12:30 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AICTm12631 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 11:12:29 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.11.6/8.11.6) id g3AICPN02482 for ietf-openpgp@imc.org; Wed, 10 Apr 2002 14:12:25 -0400 Date: Wed, 10 Apr 2002 14:12:25 -0400 From: David Shaw <dshaw@akamai.com> To: ietf-openpgp@imc.org Subject: Re: forwarding an encrypted message Message-ID: <20020410181225.GA1521@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org References: <OF9AF44638.DCA9E26D-ON86256B97.0057C86C@kodak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <OF9AF44638.DCA9E26D-ON86256B97.0057C86C@kodak.com> User-Agent: Mutt/1.3.26i X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waning Crescent (4% of Full) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Apr 10, 2002 at 11:01:47AM -0500, john.dlugosz@kodak.com wrote: > What is the "throw-keyid" switch? "throw-keyid" is what GnuPG calls using the wildcard or speculative keyid. Basically it means that a sender can specify the recepient key id as zero, which tells the receiving program to try all possible secret keys. It helps resist traffic analysis as a snooper cannot easily tell who the message is intended for. See RFC2440, section 5.1 for more details. I don't see how this would help with the message forwarding problem being discussed though. David -- David Shaw | Technical Lead <dshaw@akamai.com> | Enterprise Content Delivery 617-250-3028 | Akamai Technologies Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AHq4410696 for ietf-openpgp-bks; Wed, 10 Apr 2002 10:52:04 -0700 (PDT) Received: from astro.cs.utk.edu (astro.cs.utk.edu [160.36.58.43]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AHq3m10688; Wed, 10 Apr 2002 10:52:03 -0700 (PDT) Received: from astro.cs.utk.edu (localhost [127.0.0.1]) by astro.cs.utk.edu (cf 8.9.3) with ESMTP id g3AHq0Z01617; Wed, 10 Apr 2002 13:52:00 -0400 (EDT) Message-Id: <200204101752.g3AHq0Z01617@astro.cs.utk.edu> X-URI: http://www.cs.utk.edu/~moore/ From: Keith Moore <moore@cs.utk.edu> To: Marc Mutz <mutz@kde.org> cc: ned.freed@mrochek.com, Keith Moore <moore@cs.utk.edu>, kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless In-reply-to: (Your message of "Wed, 10 Apr 2002 19:33:17 +0200.") <200204101933.19409@sendmail.mutz.com> Date: Wed, 10 Apr 2002 13:52:00 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > Why I am sceptic about allowing forwarding formerly encrypted mails > unencryptedly or after re-encryption is that - for me - forwarding shouldn't > change the original message. I agree with this much. A UA that claims to be forwarding a message shouldn't misrepresent the message's content. If the subject message is encrypted, the corresponding content of the forwarded message should also be encrypted. It would be fair for the UA to refuse to forward such a message to someone who wasn't a recipient - or at least to warn the forwarder that the recipient probably won't be able to read it. OTOH if only part of the message is forwarded, say the body or an attachment, the original encryption has to be removed anyway. It seems like the issue here is really one of how the forwarded message is represented to the ultimate recipient - does it look just like any other forwarded message, or can the recipient tell that it's been altered? Have we ever defined exactly what a forwarded message should look like anyway? Keith Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AHgfV09347 for ietf-openpgp-bks; Wed, 10 Apr 2002 10:42:41 -0700 (PDT) Received: from hotmail.com (oe19.law3.hotmail.com [209.185.240.123]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AHgdm09343 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 10:42:39 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 10 Apr 2002 10:42:36 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org>, <john.dlugosz@kodak.com> References: <OF9AF44638.DCA9E26D-ON86256B97.0057C86C@kodak.com> Subject: Re: forwarding an encrypted message Date: Wed, 10 Apr 2002 13:40:50 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <OE19gFrYILoygXLsxpT00000034@hotmail.com> X-OriginalArrivalTime: 10 Apr 2002 17:42:36.0940 (UTC) FILETIME=[1A62BCC0:01C1E0B7] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: <john.dlugosz@kodak.com> To: <vedaal@hotmail.com> Cc: <ietf-openpgp@imc.org> Sent: Wednesday, April 10, 2002 12:01 PM Subject: re: forwarding an encrypted message ... > What is the "throw-keyid" switch? ... the throw-keyid switch is an option in GnuPG, and also in Disastry's 2.6.31a-multi 5, {but not available in any other PGP implementation} the throw-keyid option allows for replacing the key id that a message was encrypted to, with a 'blank' one, {indicating that the sender wishes the recipients (and the sender as well, if also encrypted to self by default) to remain anonymous. the recipient must try 'all secret keys' , and if the appropriate secret key is on the recipient's keyring, the message will decrypt upon entry of the correct passphrase. there is no other indication of which key or keys the message was encrypted to, and the default encryption to the sender's key is also not detectable, even after successful decryption by the recipient. there is 'sort of' a way to prevent a signed message from being forwarded, without changing any requirements, and without any ways around it: [1] encrypt, but do not sign, the original message, [2] then, sign and encrypt the first encrypted message the recipient verifies the signature, and knows that the unsigned encrypted message was sent by the reciever and intended for the recipient. nothing can prevent the recipient from forwarding the 'content' of the message, but unless the recipient wants to decrypt in front of witnesses, there is no other way to link the plaintext to the sender's signature. all the best, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt build 7 http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBPLR5H2oFoLeFMG0lAQNohQf+MXdDsb0DxxnIO9NhB5BDZJ/uuTYdmmjY gZoK0L5R+iPVQzChlLsbEr9xLlhP5at8KcRKu3soEFNdEQqdJ60yfB7hzJg82utX dTMsxZWvidqvZcVZn9IQJmqANszKg060zEMXLYMTcu+D3imHSjOEyxv1XnaJZji7 metCyVf04Nyl2LU7tJsgSJXlYnkYR10m4uYv9EPtu+uzf8vsUMzS9+1BAryLYvmc NOqn/bhA3eM7scf5u7HRL6hPa8zT9zUU2GWAk55Lf0qaR3kDG0DxShEmLnLc/Wg5 Ls03q40W12YXz8Smvo2exUa97VEgSwCjY4M2wIeUHJNg50jbv26nfw== =Ld9Q -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AHZ7q08935 for ietf-openpgp-bks; Wed, 10 Apr 2002 10:35:07 -0700 (PDT) Received: from c000.snv.cp.net (h001.c000.snv.cp.net [209.228.32.65]) by above.proper.com (8.11.6/8.11.3) with SMTP id g3AHZ5m08927 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 10:35:05 -0700 (PDT) Received: (cpmta 15431 invoked from network); 10 Apr 2002 10:35:00 -0700 Received: from 217.82.85.10 (HELO dirichlet.mathematik.uni-bielefeld.de) by smtp.mutz.com (209.228.32.65) with SMTP; 10 Apr 2002 10:35:00 -0700 X-Sent: 10 Apr 2002 17:35:00 GMT Content-Type: text/plain; charset="us-ascii" From: Marc Mutz <mutz@kde.org> Organization: KDE To: ned.freed@mrochek.com, Keith Moore <moore@cs.utk.edu> Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Date: Wed, 10 Apr 2002 19:33:17 +0200 User-Agent: KMail/1.4.5 Cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org References: <200204091947.03266@sendmail.mutz.com> <200204101350.g3ADooZ05267@astro.cs.utk.edu> <01KGE6E1EVX800004C@mauve.mrochek.com> In-Reply-To: <01KGE6E1EVX800004C@mauve.mrochek.com> X-PGP-Key: 0xBDBFE838 MIME-Version: 1.0 Message-Id: <200204101933.19409@sendmail.mutz.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3AHZ5m08929 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 10 April 2002 18:10, ned.freed@mrochek.com wrote: <snip> > > Nor is it clear that this is a "problem". At least, there appear to be > > more "problems" associated with mechanisms that do purport to control > > what a recipient can do with a message than mechanisms that merely > > provide protection against interception of a message in transit from > > sender to recipient. > > Exactly. This entire problem space has a character similar to that of copy > protection, digital rights management and all that. There are also lessons > to be learned from the Multics work on environments that try to support > multiple levels of secrecy and integrity simultaneously. (Some of the > stories told by the folks who worked on things like text editors for mixed > level data are particularly amusing.) <snip> > You can't win. And given how much this pisses off users, making them even > less receptive to following whatever rules they're supposed to be > following, you shouldn't even try. <snip> Actually, we already knew this ;-) Both camps here agree that you can't stop the receiver from sending the formerly encrypted message wherever she wants - in the clear. Why I am sceptic about allowing forwarding formerly encrypted mails unencryptedly or after re-encryption is that - for me - forwarding shouldn't change the original message. If you want to change the message, reply to it and edit the recipients. If you forward, you actually want to annotate the original message with a few lines of notes, then send the stuff on the the recipient, much like sticking these yellow post-it strips to a folder and write "you do that!" on them before telling the secretary to carry it to the next room. Marc - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8tHdd3oWD+L2/6DgRAtKjAKC+04nF2zJwBSj2KA8Z/PJQ/OcDvQCeN2tV VjBmr0dJLgL8881VBD8zHTM= =MSCU -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3AHGWi08133 for ietf-openpgp-bks; Wed, 10 Apr 2002 10:16:32 -0700 (PDT) Received: from mail.passportnewmedia.ca (66-163-2-247.mail.passportnewmedia.ca [66.163.2.247] (may be forged)) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AHGQm08097; Wed, 10 Apr 2002 10:16:26 -0700 (PDT) Received: from passport.ca (66-163-2-225.ip.tor.radiant.net [66.163.2.225]) by mail.passportnewmedia.ca (Postfix) with ESMTP id 2EF6D14F8A2; Wed, 10 Apr 2002 13:12:00 -0400 (EDT) Message-ID: <3CB4736C.3CF0B4BE@passport.ca> Date: Wed, 10 Apr 2002 13:16:28 -0400 From: Paul Shields <shields@passport.ca> X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org, ietf-822@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> <3CB45042.2F672361@passport.ca> <sjmlmbva6wl.fsf@kikki.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek wants this to be enforced or not to have it at all. Ned points out that users will be angry if you try to enforce it. All I wanted was friendly handling instructions, a convenience feature just like 'eyes-only'. It won't try to prohibit forwarding, it is simply a request that the receiver remove the signature after decrypt+verify. Yes, Derek will be able to get around it unless someone figures out how to tie the signature to the encryption. Yes, it won't be supported by some implementations. But does it make matters worse than they are now? Is it something that has value ONLY if it is enforceable? - --Paul. Derek Atkins wrote: Paul Shields <shields@passport.ca> writes: > Should we have a selectable option on sign-encrypt that specifies > that the signature must be > removed from the plaintext after verifying it? How would you enforce this? This is just like the "for-her-eyes-only" flag on literal text. It's a notation to keep the good guy honest, but wont protect you from someone who really wants to get around it. ned.freed@mrochek.com wrote: All of this stuff falls down at some point because you just can't compartmentalize people's brains. Prohibit forwarding of content and people will save stuff to files and then mail the files. Prohibit saving to files and people will cut and paste. Prohibit cut and paste and people will type what one window says into another. Prohibit people from having mutiple windows up at the same time for this purpose and they will write stuff down on paper (which introduces its own set of problems). Prohibit writing stuff down (good luck) and people will try and remember it, and then enter it incorrectly later. You can't win. And given how much this pisses off users, making them even less receptive to following whatever rules they're supposed to be following, you shouldn't even try. Ned -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPLRzWG+NxmuGaxjwEQKVdwCfZ0MkAxiNo2tRjvqUxjCBm6yzc1EAniLe CrGXkZ/BefCMb+RJNnvnzJj4 =w1lH -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3AGTwb06264 for ietf-openpgp-bks; Wed, 10 Apr 2002 09:29:58 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AGTnm06250 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 09:29:57 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3AGTxg21352 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 12:29:59 -0400 (EDT) Subject: Re: forwarding an encrypted message To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Wed, 10 Apr 2002 11:29:47 -0500 Message-ID: <OFFCE1E62C.040D74BE-ON86256B97.005A4953@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/10/2002 12:29:46 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz I agree with the way this is going. Tools are made to help us, to do our bidding. Guns are made with safety switches, not (usually) locks. The microwave oven shuts off if I open the door, as does the refridgerator light, but I -could- use a piece of tape over the button to defeat that. The tools are acting to help me, but don't go to heroic lengths to be tamper-proof. I may trust someone in the sense that he keeps my interests in mind, but not trust him with technical things. So having flags that are understood by the tools, not =only= human messages to explain allowed dispositions, is a good thing. Ben Laurie <ben@algroup.co.uk>@mail.imc.org on 04-10-2002 08:41:50 AM Sent by: owner-ietf-openpgp@mail.imc.org To: Matthew Byng-Maddick <openpgp@lists.colondot.net> cc: ietf-openpgp@imc.org Subject: Re: forwarding an encrypted message Matthew Byng-Maddick wrote: > On Tue, Apr 09, 2002 at 04:26:55PM -0400, vedaal wrote: > > both of which can be 'denied' by the original sender, and can be proved by > > the forwarder, only by having someone witness the decryption. > > I've never put very much faith in the screen eyes-only thing for that > reason. What is the point? If you don't trust the person, don't send the > document to them. Once they have it it's their choice who they forward to, > and it's now out of your control. Tough. I believe the original explanation - that it was requested by someone having an affair, who didn't trust the recipient not to _accidentally_ save to disk and get them caught. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AGOSZ06168 for ietf-openpgp-bks; Wed, 10 Apr 2002 09:24:28 -0700 (PDT) Received: from mail.mediacompany.com (postfix@[195.247.9.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AGOOm06156; Wed, 10 Apr 2002 09:24:24 -0700 (PDT) Received: from yoda.does-not-exist.org (unknown [194.162.149.130]) by mail.mediacompany.com (Postfix) with ESMTP id 0FBBE4802; Wed, 10 Apr 2002 18:24:11 +0200 (CEST) Received: by yoda.does-not-exist.org (Postfix, from userid 1000) id 62DAF2ED15; Wed, 10 Apr 2002 18:06:51 +0200 (CEST) Date: Wed, 10 Apr 2002 18:06:51 +0200 From: Thomas Roessler <roessler@does-not-exist.org> To: Paul Shields <shields@passport.ca> Cc: ietf-openpgp@imc.org, john.dlugosz@kodak.com, mutz@kde.org, kmail@kde.org, ietf-822@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Message-ID: <20020410160651.GD30779@yoda.does-not-exist.org> Mail-Followup-To: Paul Shields <shields@passport.ca>, ietf-openpgp@imc.org, john.dlugosz@kodak.com, mutz@kde.org, kmail@kde.org, ietf-822@imc.org References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> <3CB45042.2F672361@passport.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <3CB45042.2F672361@passport.ca> User-Agent: Mutt/1.5.0i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 2002-04-10 10:46:26 -0400, Paul Shields wrote: >Should we have a selectable option on sign-encrypt that specifies >that the signature must be removed from the plaintext after >verifying it? What, precisely, prevents the recipient's implementation from ignoring that flag? In the suggestions circulated in this thread, some folks are making the same basic design error all over the place: You want to place trust in software which is under the complete control of an individual you don't trust. Don't do it. It's impossible. The features which are being suggested _may_ help against unintentional errors the recipient may make (like, storing, by accident, the wrong love letters on the wrong hard drive, which [I seem to recall] was the original reasoning behind the "for your eyes only" [or whatever it was called] function of pgp 2). They don't, however, help against malicious behavior on the recipient's side. -- Thomas Roessler <roessler@does-not-exist.org> Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AGMBv06051 for ietf-openpgp-bks; Wed, 10 Apr 2002 09:22:11 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AGMAm06047 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 09:22:10 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3AGMKg18882; Wed, 10 Apr 2002 12:22:20 -0400 (EDT) Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless To: jon@callas.org Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Wed, 10 Apr 2002 11:22:11 -0500 Message-ID: <OF1228F899.9348AA24-ON86256B97.00584EFF@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/10/2002 12:22:06 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz >> I'm not quite that extreme, but I don't sign anything that I wouldn't sign if it were on paper, not on bits. I'm a bit more mellow. When talking to someone on the phone, you can authenticate who you are talking to, from the voice. In hand-written letters, you can see the handwriting. Electronic text has =no= personalization to it, so the signature takes the place. >> OpenPGP specifies that the signature goes inside the envelope. The reason I understand the reasons why encrypt-then-sign is better. But I think it could be even better yet. Mathematically combining the two operations into one, or, to reuse existing primitives, jump through hoops. For example, take a nonce and logically append both half its plaintext and ciphertext to the original plaintext that will be signed. Now, you can't verify the signature without also being able to verify that the included nonce decrypts, as well. Hmm, a simpler way would be to use a keyed hash to make the digest, with the key encrypted "to" the recipient. Yea, I like that. Let me further refine... A subpacket contains the HMAC key and a block of random numbers the same size as the hash (e.g. 160 bits), encrypted to the recipient. The recipient decrypts the key, repeats the hash, and then XOR's in the random number. The result is sent to the basic signature algorithm. Now, if he chooses to reveal the contents of this inner packet without providing the means to decrypt it himself, then it's trivial to forge because you can adjust the random number to make the hash match that of a tampered message. Result, you can't verify the signature without being able to decode the inner envelope. The inner envelope is signed by itself, and would contain a plain hash of the main message, to tie it together. Jon Callas <jon@callas.org> on 04-09-2002 04:27:04 PM To: john.dlugosz@kodak.com, mutz@kde.org cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless At 3:33 PM -0500 4/9/02, john.dlugosz@kodak.com wrote: >But I think PGP uses "sign, then encrypt" which means software could >decrypt but leave the signature intact. As I recall, this was thought to >be a non-problem with respect to re-targeting, because you can put the >recipient's name in the message at the application level. e.g. "Dear Sue," >is part of the message, so it can't be mistaken as a message to Joan. But >that doesn't handle the issue of private information in the message. It's >possible for Sue to reveal the signed message to someone else, who can >verify the signature, without needing Sue's key. I would prefer if that >were impossible--without Sue's key, the message can't be authenticated >either. OpenPGP specifies that the signature goes inside the envelope. The reason for this is that if the signature is outside the envelope, then the attacker knows both the source and destination of the message. In short, it provides cryptographically enhanced traffic analysis. Yes, you're right, someone can decrypt a signed message and then send on the signed, decrypted message. They can also take a screenshot of the screen and send the image on to someone else. I know many people who do not sign messages for this very reason. We added a non-signature integrity check to OpenPGP messages so you'd have some way of knowing you got the message intact without requiring the sender to sign it. There are security risks to signing messages. A good friend of mine is of the opinion that you should never sign anything that you aren't willing to forward on to City Hall for inclusion in the public record. He never signed anyone ele's key for this reason, let alone a message. I'll add that this guy was an VP at an investment bank, not a cypherpunk with outlaw fantasies. I'm not quite that extreme, but I don't sign anything that I wouldn't sign if it were on paper, not on bits. Mathematics cannot solve real-world security problems. If you're confessing secrets to someone who gossips, you have security problems. If you send signed, encrypted messages to someone who will decrypt them and send them (or send a screenshot of your messagae) on, then you have the same security problem. A trusted channel to an untrustworthy person is not secure. And to paraphrase Laotse, you cannot create trust with cryptography, no matter how much cryptography you use. Jon Received: by above.proper.com (8.11.6/8.11.3) id g3AGLgM06018 for ietf-openpgp-bks; Wed, 10 Apr 2002 09:21:42 -0700 (PDT) Received: from mauve.mrochek.com (mauve.mrochek.com [209.55.107.55]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AGLem06009 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 09:21:40 -0700 (PDT) Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01KGE5VBMU7400004C@mauve.mrochek.com> for ietf-openpgp@imc.org; Wed, 10 Apr 2002 09:21:38 -0700 (PDT) Date: Wed, 10 Apr 2002 09:10:21 -0700 (PDT) From: ned.freed@mrochek.com Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless In-reply-to: "Your message dated Wed, 10 Apr 2002 09:50:50 -0400" <200204101350.g3ADooZ05267@astro.cs.utk.edu> To: Keith Moore <moore@cs.utk.edu> Cc: Marc Mutz <mutz@kde.org>, kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Message-id: <01KGE6E1EVX800004C@mauve.mrochek.com> MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=us-ascii Content-transfer-encoding: 7BIT References: <200204091947.03266@sendmail.mutz.com> <200204101350.g3ADooZ05267@astro.cs.utk.edu> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > > What if, in a mail user agent, the user wants to forward an encrypted message? > > Allow it? Deny it? > > Re-encrypt or remove encryption? > > The problem is, of course, that the original sender might not like his > > encrypted text being sent out in the clear again... > I don't think this is something we can control. If you encrypt something with > a recipient's public key, you're implicitly giving the recipient the ability > to decrypt that message and redistribute it to his heart's content. You can > issue instructions to the recipient about redistribution of the messgae, but > you can't control whether the recipient follows those instructions. > Nor is it clear that this is a "problem". At least, there appear to be > more "problems" associated with mechanisms that do purport to control what > a recipient can do with a message than mechanisms that merely provide > protection against interception of a message in transit from sender to > recipient. Exactly. This entire problem space has a character similar to that of copy protection, digital rights management and all that. There are also lessons to be learned from the Multics work on environments that try to support multiple levels of secrecy and integrity simultaneously. (Some of the stories told by the folks who worked on things like text editors for mixed level data are particularly amusing.) All of this stuff falls down at some point because you just can't compartmentalize people's brains. Prohibit forwarding of content and people will save stuff to files and then mail the files. Prohibit saving to files and people will cut and paste. Prohibit cut and paste and people will type what one window says into another. Prohibit people from having mutiple windows up at the same time for this purpose and they will write stuff down on paper (which introduces its own set of problems). Prohibit writing stuff down (good luck) and people will try and remember it, and then enter it incorrectly later. You can't win. And given how much this pisses off users, making them even less receptive to following whatever rules they're supposed to be following, you shouldn't even try. Ned Received: by above.proper.com (8.11.6/8.11.3) id g3AG1sL04524 for ietf-openpgp-bks; Wed, 10 Apr 2002 09:01:54 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AG1nm04506 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 09:01:49 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g3AG1vg12971; Wed, 10 Apr 2002 12:01:57 -0400 (EDT) Subject: re: forwarding an encrypted message To: vedaal@hotmail.com Cc: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Wed, 10 Apr 2002 11:01:47 -0500 Message-ID: <OF9AF44638.DCA9E26D-ON86256B97.0057C86C@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/10/2002 12:01:43 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What is the "throw-keyid" switch? Not all implementations are compelled to support the "your eyes only" flag. Someone could run a Perl script on the saved message, for example, even if he normally uses a GUI that works in the same manner as NAI's. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPLRh0uOdgXmV1Gj8EQL2jgCgn5qhcvyftlU9NhaKkAk1vHMcWTwAoJeb maLqCw1+ht6+o3XNODdHi/xf =PIqI -----END PGP SIGNATURE----- "vedaal" <vedaal@hotmail.com>@mail.imc.org on 04-09-2002 03:26:55 PM Sent by: owner-ietf-openpgp@mail.imc.org To: <ietf-openpgp@imc.org> cc: Subject: re: forwarding an encrypted message -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Simon Josefsson" <simon+ietf-openpgp@josefsson.org> To: "Marc Mutz" <mutz@kde.org> Cc: <kmail@kde.org>; <ietf-822@imc.org>; <ietf-openpgp@imc.org> Sent: Tuesday, April 09, 2002 3:32 PM Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless > > Marc Mutz <mutz@kde.org> writes: > > > What if, in a mail user agent, the user wants to forward an encrypted > > message? Allow it? Deny it? > > Re-encrypt or remove encryption? > > > > The problem is, of course, that the original sender might not like his > > encrypted text being sent out in the clear again... > > Then the original sender should not send the text to someone who will > do that. > > I don't see how the standard could prevent the user from doing > this. If it is prevented, then it is only the applications' doing, so > it wouldn't be difficult to override it. ... a way to do it, would be to send the original encrypted message using the throw- keyid switch, any re-sending of the message would not be able to identify the original sender, moreover, the message could also be sent using the option of 'screen viewing only' so that the plaintext could not be saved, except tediously by saving a screen shot, or re-typing the message, both of which can be 'denied' by the original sender, and can be proved by the forwarder, only by having someone witness the decryption. hth, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt build 7 http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBPLNNBGoFoLeFMG0lAQNFHgf+OmEDLzkChGzImWKeTK7Ma7sojVqGxUtJ pGCtwK/SEjhxeiX0p+6ejFalP0FTN0xUNMhJ+P+oOW20BEUiSJEGiYOPDnrhThyq nmg+jC2vgjEzGjdOo/CQ56XUh6ATQ1RRi2U5eahwftpzLQSPgSVrut9H4bmYT5OL 7Hk2MNQj5K1+9IwgjSrajs1DWv0Pbfx7ytrAAB2tnvx+KW6Qb5xQN8qMotbEI744 7q91c8VjMgu4w/L3TlkFigx1d4TJO/ZkFYclTgD43PbiYL3OcYE380MlYXxaD/rm 2JHdyD3jewyhkx+BAxiwaj/po7S45MVeoX5Ke8v7jF//eEBh8qCARQ== =AT2F -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3AFq4502848 for ietf-openpgp-bks; Wed, 10 Apr 2002 08:52:04 -0700 (PDT) Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AFpfm02773; Wed, 10 Apr 2002 08:51:41 -0700 (PDT) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA10568; Wed, 10 Apr 2002 11:51:42 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA19519; Wed, 10 Apr 2002 11:51:41 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id LAA08813; Wed, 10 Apr 2002 11:51:38 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3) id LAA06184; Wed, 10 Apr 2002 11:51:38 -0400 (EDT) To: Paul Shields <shields@passport.ca> Cc: ietf-openpgp@imc.org, john.dlugosz@kodak.com, mutz@kde.org, kmail@kde.org, ietf-822@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> <3CB45042.2F672361@passport.ca> From: Derek Atkins <warlord@mit.edu> Date: 10 Apr 2002 11:51:38 -0400 In-Reply-To: <3CB45042.2F672361@passport.ca> Message-ID: <sjmlmbva6wl.fsf@kikki.mit.edu> Lines: 25 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Paul Shields <shields@passport.ca> writes: > Should we have a selectable option on sign-encrypt that specifies > that the signature must be > removed from the plaintext after verifying it? How would you enforce this? This is just like the "for-her-eyes-only" flag on literal text. It's a notation to keep the good guy honest, but wont protect you from someone who really wants to get around it. For example, many a time I've used 'pgp -fm input.asc >& output.txt' to get around the for-her-eyes-only "bug". The only way to really enforce this is to mathematically tie the signature to the encryption. This would require a whole new line of mathematics (assuming you want to continue to hide the sender's identity to non-recipients). -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3AEkVX27782 for ietf-openpgp-bks; Wed, 10 Apr 2002 07:46:31 -0700 (PDT) Received: from mail.passportnewmedia.ca (66-163-2-247.mail.passportnewmedia.ca [66.163.2.247] (may be forged)) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3AEkQm27770; Wed, 10 Apr 2002 07:46:26 -0700 (PDT) Received: from passport.ca (66-163-2-225.ip.tor.radiant.net [66.163.2.225]) by mail.passportnewmedia.ca (Postfix) with ESMTP id DAB9A14F8A2; Wed, 10 Apr 2002 10:41:58 -0400 (EDT) Message-ID: <3CB45042.2F672361@passport.ca> Date: Wed, 10 Apr 2002 10:46:26 -0400 From: Paul Shields <shields@passport.ca> X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Cc: john.dlugosz@kodak.com, mutz@kde.org, kmail@kde.org, ietf-822@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Without handling instructions that cause the signature to be removed, someone forwarding the message could cause trouble for the original sender. I raised this as an issue a few years back on the PGP MIME list, but the folks there were unconvinced. It seems they wanted to be able to keep the signature after decryption. Should we have a selectable option on sign-encrypt that specifies that the signature must be removed from the plaintext after verifying it? - -- Paul Shields john.dlugosz@kodak.com wrote: From: John Dlugosz IMO, If forwarding the decrypted plaintext also removed the signature, there would be less trouble. The content could be reputiated, since it can't be distinguised from the forwarder just making it up. But I think PGP uses "sign, then encrypt" which means software could decrypt but leave the signature intact. As I recall, this was thought to be a non-problem with respect to re-targeting, because you can put the recipient's name in the message at the application level. e.g. "Dear Sue," is part of the message, so it can't be mistaken as a message to Joan. But that doesn't handle the issue of private information in the message. It's possible for Sue to reveal the signed message to someone else, who can verify the signature, without needing Sue's key. I would prefer if that were impossible--without Sue's key, the message can't be authenticated either. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPLRQP2+NxmuGaxjwEQIumwCgzWVFUM0ZXZwcR9ghx1Y2co1sFEoAn1Xb hK3bxFqmPwBbDQnny+QjBZHi =SG0f -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g3ADou525157 for ietf-openpgp-bks; Wed, 10 Apr 2002 06:50:56 -0700 (PDT) Received: from astro.cs.utk.edu (astro.cs.utk.edu [160.36.58.43]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3ADosm25153; Wed, 10 Apr 2002 06:50:54 -0700 (PDT) Received: from astro.cs.utk.edu (localhost [127.0.0.1]) by astro.cs.utk.edu (cf 8.9.3) with ESMTP id g3ADooZ05267; Wed, 10 Apr 2002 09:50:51 -0400 (EDT) Message-Id: <200204101350.g3ADooZ05267@astro.cs.utk.edu> X-URI: http://www.cs.utk.edu/~moore/ From: Keith Moore <moore@cs.utk.edu> To: Marc Mutz <mutz@kde.org> cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless In-reply-to: (Your message of "Tue, 09 Apr 2002 19:47:01 +0200.") <200204091947.03266@sendmail.mutz.com> Date: Wed, 10 Apr 2002 09:50:50 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > What if, in a mail user agent, the user wants to forward an encrypted message? > Allow it? Deny it? > Re-encrypt or remove encryption? > The problem is, of course, that the original sender might not like his > encrypted text being sent out in the clear again... I don't think this is something we can control. If you encrypt something with a recipient's public key, you're implicitly giving the recipient the ability to decrypt that message and redistribute it to his heart's content. You can issue instructions to the recipient about redistribution of the messgae, but you can't control whether the recipient follows those instructions. Nor is it clear that this is a "problem". At least, there appear to be more "problems" associated with mechanisms that do purport to control what a recipient can do with a message than mechanisms that merely provide protection against interception of a message in transit from sender to recipient. Keith Received: by above.proper.com (8.11.6/8.11.3) id g3ADfwJ24881 for ietf-openpgp-bks; Wed, 10 Apr 2002 06:41:58 -0700 (PDT) Received: from scuzzy.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3ADfvm24877 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 06:41:57 -0700 (PDT) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id 29DCD2E9CB; Wed, 10 Apr 2002 13:41:48 +0000 (GMT) Message-ID: <3CB4411E.2C81D8CC@algroup.co.uk> Date: Wed, 10 Apr 2002 14:41:50 +0100 From: Ben Laurie <ben@algroup.co.uk> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Matthew Byng-Maddick <openpgp@lists.colondot.net> Cc: ietf-openpgp@imc.org Subject: Re: forwarding an encrypted message References: <OE57ZElV5tTPEiRZiUi0000d300@hotmail.com> <20020410090616.C32794@colon.colondot.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Matthew Byng-Maddick wrote: > On Tue, Apr 09, 2002 at 04:26:55PM -0400, vedaal wrote: > > both of which can be 'denied' by the original sender, and can be proved by > > the forwarder, only by having someone witness the decryption. > > I've never put very much faith in the screen eyes-only thing for that > reason. What is the point? If you don't trust the person, don't send the > document to them. Once they have it it's their choice who they forward to, > and it's now out of your control. Tough. I believe the original explanation - that it was requested by someone having an affair, who didn't trust the recipient not to _accidentally_ save to disk and get them caught. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: by above.proper.com (8.11.6/8.11.3) id g3A9IUX07757 for ietf-openpgp-bks; Wed, 10 Apr 2002 02:18:30 -0700 (PDT) Received: from jay.songbird.com (208.184.79.253.songbird.com [208.184.79.253] (may be forged)) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3A9ITm07749; Wed, 10 Apr 2002 02:18:29 -0700 (PDT) Received: from GK-VAIO.ninebynine.org (dyn94-32.sftm-212-159.plus.net [212.159.32.94]) (authenticated) by jay.songbird.com (8.11.6/8.11.3) with ESMTP id g3AGxi411487; Wed, 10 Apr 2002 09:59:44 -0700 Message-Id: <5.1.0.14.2.20020410101731.0380d8f0@joy.songbird.com> X-Sender: gk-lists@joy.songbird.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 10 Apr 2002 10:19:19 +0100 To: Jon Callas <jon@callas.org> From: Graham Klyne <GK-lists@ninebynine.org> Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Cc: ietf-822@imc.org, ietf-openpgp@imc.org In-Reply-To: <p05101507b8d906c4b9c4@[192.168.1.97]> References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 02:27 PM 4/9/02 -0700, Jon Callas wrote: >A trusted channel to an untrustworthy person is not secure. And to >paraphrase Laotse, you cannot create trust with cryptography, no matter how >much cryptography you use. Excellent!! This is the first time I've been aware of a cryptosystems person make this point. #g ------------------- Graham Klyne <GK@NineByNine.org> Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3A8Xbc01729 for ietf-openpgp-bks; Wed, 10 Apr 2002 01:33:37 -0700 (PDT) Received: from moutvdom00.kundenserver.de (moutvdom00.kundenserver.de [195.20.224.149]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3A8Xam01720 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 01:33:36 -0700 (PDT) Received: from [195.20.224.204] (helo=mrvdom00.kundenserver.de) by moutvdom00.kundenserver.de with esmtp (Exim 2.12 #2) id 16vDXo-0008Pr-00 for ietf-openpgp@imc.org; Wed, 10 Apr 2002 10:33:32 +0200 Received: from [217.81.186.207] (helo=there) by mrvdom00.kundenserver.de with smtp (Exim 2.12 #2) id 16vDXo-0007NL-00 for ietf-openpgp@imc.org; Wed, 10 Apr 2002 10:33:32 +0200 Content-Type: text/plain; charset="iso-8859-15" From: Magnus von Koeller <magnus@vonkoeller.de> Message-Id: <200204092228.59661@vonkoeller.de> To: ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Date: Wed, 10 Apr 2002 10:33:30 +0200 X-Mailer: KMail [version 1.3.2] References: <20020407212139.21019.qmail@mail.kde.org> <16uuO0-1O7bgOC@fmrl01.sul.t-online.com> <200204091947.03266@sendmail.mutz.com> In-Reply-To: <200204091947.03266@sendmail.mutz.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id g3A8Xam01723 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 09 April 2002 19:47, Marc Mutz wrote: > Allow it? Deny it? > Re-encrypt or remove encryption? > > The problem is, of course, that the original sender might not like > his encrypted text being sent out in the clear again... I'll just state my opinion on this matter because I want to give Volker some support ... I say: Allow forwarding. Remove encryption if you do inline forwarding (forward as attachment shouldn't alter the source at all). If possible, re-encrypt (i.e. the 'encrypt message' button should be activated by default but you should be able to turn it off). You should probably display a warning with a 'Dont show me again' checkbox, too. Reasoning: If KMail doesn't let you do this, then you can still just copy&paste. So all you do is annoy the user. If the sender of an encrypted email _really_ doesn't want you to forward that message to others or doesn't want it forwarded in unencrypted form then he has to tell you explicitely in his message. He'll have to do this anyway because he can't assume that all mailers handle this the way KMail does and because the user could still do copy&paste. It would be a good idea to make the user aware of the implications, though, so that's why I'm in favor of the warning message. - -- - -M - --- Magnus von Koeller --- email: magnus@vonkoeller.de address: Georg-Westermann-Allee 76 D-38104 Braunschweig / Germany phone: +49-531-2094886 mobile: +49-179-4562940 web: http://www.vonkoeller.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8s/jdUIvM6e6BgFARApOnAJ9+lKHHNfj9TMp3l+bgjz+OMwrsFgCcCeoI Q7x/bi+trAm9ohTXAjHqxtg= =HB/N -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g3A86I027352 for ietf-openpgp-bks; Wed, 10 Apr 2002 01:06:18 -0700 (PDT) Received: from colon.colondot.net (exim@colon.colondot.net [212.135.138.209]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3A86Hm27339 for <ietf-openpgp@imc.org>; Wed, 10 Apr 2002 01:06:17 -0700 (PDT) Received: from mbm by colon.colondot.net with local (Exim 3.33 #1) id 16vD7Q-000CYD-00 for ietf-openpgp@imc.org; Wed, 10 Apr 2002 09:06:16 +0100 Date: Wed, 10 Apr 2002 09:06:16 +0100 From: Matthew Byng-Maddick <openpgp@lists.colondot.net> To: ietf-openpgp@imc.org Subject: Re: forwarding an encrypted message Message-ID: <20020410090616.C32794@colon.colondot.net> References: <OE57ZElV5tTPEiRZiUi0000d300@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <OE57ZElV5tTPEiRZiUi0000d300@hotmail.com>; from vedaal@hotmail.com on Tue, Apr 09, 2002 at 04:26:55PM -0400 Organization: Colondot.net Mail-Copies-To: never Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Apr 09, 2002 at 04:26:55PM -0400, vedaal wrote: > moreover, the message could also be sent using the option of 'screen > viewing only' so that the plaintext could not be saved, > except tediously by saving a screen shot, or re-typing the message, or, less tediously, altering the source code to make that a noop. > both of which can be 'denied' by the original sender, and can be proved by > the forwarder, only by having someone witness the decryption. I've never put very much faith in the screen eyes-only thing for that reason. What is the point? If you don't trust the person, don't send the document to them. Once they have it it's their choice who they forward to, and it's now out of your control. Tough. MBM -- Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/ Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g39LU2b13861 for ietf-openpgp-bks; Tue, 9 Apr 2002 14:30:02 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39LTsm13831; Tue, 9 Apr 2002 14:29:54 -0700 (PDT) Received: from [192.168.1.97] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.1.1); Tue, 9 Apr 2002 14:29:23 -0700 Mime-Version: 1.0 Message-Id: <p05101507b8d906c4b9c4@[192.168.1.97]> In-Reply-To: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> References: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> Date: Tue, 9 Apr 2002 14:27:04 -0700 To: john.dlugosz@kodak.com, mutz@kde.org From: Jon Callas <jon@callas.org> Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 3:33 PM -0500 4/9/02, john.dlugosz@kodak.com wrote: >But I think PGP uses "sign, then encrypt" which means software could >decrypt but leave the signature intact. As I recall, this was thought to >be a non-problem with respect to re-targeting, because you can put the >recipient's name in the message at the application level. e.g. "Dear Sue," >is part of the message, so it can't be mistaken as a message to Joan. But >that doesn't handle the issue of private information in the message. It's >possible for Sue to reveal the signed message to someone else, who can >verify the signature, without needing Sue's key. I would prefer if that >were impossible--without Sue's key, the message can't be authenticated >either. OpenPGP specifies that the signature goes inside the envelope. The reason for this is that if the signature is outside the envelope, then the attacker knows both the source and destination of the message. In short, it provides cryptographically enhanced traffic analysis. Yes, you're right, someone can decrypt a signed message and then send on the signed, decrypted message. They can also take a screenshot of the screen and send the image on to someone else. I know many people who do not sign messages for this very reason. We added a non-signature integrity check to OpenPGP messages so you'd have some way of knowing you got the message intact without requiring the sender to sign it. There are security risks to signing messages. A good friend of mine is of the opinion that you should never sign anything that you aren't willing to forward on to City Hall for inclusion in the public record. He never signed anyone ele's key for this reason, let alone a message. I'll add that this guy was an VP at an investment bank, not a cypherpunk with outlaw fantasies. I'm not quite that extreme, but I don't sign anything that I wouldn't sign if it were on paper, not on bits. Mathematics cannot solve real-world security problems. If you're confessing secrets to someone who gossips, you have security problems. If you send signed, encrypted messages to someone who will decrypt them and send them (or send a screenshot of your messagae) on, then you have the same security problem. A trusted channel to an untrustworthy person is not secure. And to paraphrase Laotse, you cannot create trust with cryptography, no matter how much cryptography you use. Jon Received: by above.proper.com (8.11.6/8.11.3) id g39L8CN12938 for ietf-openpgp-bks; Tue, 9 Apr 2002 14:08:12 -0700 (PDT) Received: from dfw.nationwide.net (dfw.nationwide.net [198.175.15.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39L8Bm12933; Tue, 9 Apr 2002 14:08:11 -0700 (PDT) Received: from ppp-65-90-216-224.mclass.broadwing.net (ppp-65-90-216-224.mclass.broadwing.net [65.90.216.224]) by dfw.nationwide.net (8.9.3/8.9.3) with ESMTP id QAA03809; Tue, 9 Apr 2002 16:14:57 -0500 (CDT) Date: Tue, 9 Apr 2002 16:08:03 -0500 From: "Clinton E. Troutman" <clinton.e.troutman@cetro.fort-worth.tx.us> X-Mailer: The Bat! (v1.53bis) Personal Reply-To: "Clinton E. Troutman" <clinton.e.troutman@cetro.fort-worth.tx.us> Organization: CeTro X-Priority: 3 (Normal) Message-ID: <1722357713.20020409160803@cetro.fort-worth.tx.us> To: Simon Josefsson <simon+ietf-openpgp@josefsson.org> CC: ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re[2]: Bug#40394: forwarding an encrypted PGP message is useless In-Reply-To: <iluzo0cwtvz.fsf@josefsson.org> References: <20020407212139.21019.qmail@mail.kde.org> <200204091343.35655@osp-dd.de> <16uuO0-1O7bgOC@fmrl01.sul.t-online.com> <200204091947.03266@sendmail.mutz.com> <iluzo0cwtvz.fsf@josefsson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --- Reply created Tuesday, 09 April 2002, 15:59:49 --- - ------- Original Message -------- On Tuesday, 09 April 2002, 14:32, you wrote: SJ> Then the original sender should not send the text to someone who will SJ> do that. SJ> I don't see how the standard could prevent the user from doing SJ> this. If it is prevented, then it is only the applications' doing, so SJ> it wouldn't be difficult to override it. This isn't a technical SJ> problem. Whenever you introduce encryption between two parties you SJ> have this issue. SJ> Whether to re-encrypt or remove encryption is up to the user SJ> forwarding the message. What the defaults should be probably depend SJ> too much on the application to give any generic recomendation on. SJ> Just my two cents. - ------- End Original Message -------- Absolutely agreed. Not a technical problem. It is a problem of data released "to the wild" and what another party may "do" with that data once released. The allowable disposition of the data beyond the party of first release should be specifically stated to prevent "missteps" by that party. And, if you are concerned that the data *not* be released beyond that first party, perhaps you should consider either: - - another method of release, or - - your relationship with the party to whom you are releasing the data, or - - don't release that data in the first place. (Interesting how this seems to parallel the current debates on copyright...) - ----- Clinton E. Troutman mailto:clinton.e.troutman@cetro.fort-worth.tx.us - ----- "You can tell the Mafia is running the cockfight if the duck wins." - Anon. ÀFÿ\$% -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQA/AwUBPLNYPZlJBEe9GL9yEQJipQCgklKCtoYtpgpwKM7VZ1ynWP5IiecAoKY8 qPR93LgEEMtSRsma9VgWBwbr =+Snr -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g39KdnO11892 for ietf-openpgp-bks; Tue, 9 Apr 2002 13:39:49 -0700 (PDT) Received: from hotmail.com (oe57.law3.hotmail.com [209.185.240.57]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39Kdmm11887 for <ietf-openpgp@imc.org>; Tue, 9 Apr 2002 13:39:48 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 Apr 2002 13:28:35 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org> Subject: re: forwarding an encrypted message Date: Tue, 9 Apr 2002 16:26:55 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <OE57ZElV5tTPEiRZiUi0000d300@hotmail.com> X-OriginalArrivalTime: 09 Apr 2002 20:28:35.0398 (UTC) FILETIME=[1FAD1660:01C1E005] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Simon Josefsson" <simon+ietf-openpgp@josefsson.org> To: "Marc Mutz" <mutz@kde.org> Cc: <kmail@kde.org>; <ietf-822@imc.org>; <ietf-openpgp@imc.org> Sent: Tuesday, April 09, 2002 3:32 PM Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless > > Marc Mutz <mutz@kde.org> writes: > > > What if, in a mail user agent, the user wants to forward an encrypted > > message? Allow it? Deny it? > > Re-encrypt or remove encryption? > > > > The problem is, of course, that the original sender might not like his > > encrypted text being sent out in the clear again... > > Then the original sender should not send the text to someone who will > do that. > > I don't see how the standard could prevent the user from doing > this. If it is prevented, then it is only the applications' doing, so > it wouldn't be difficult to override it. ... a way to do it, would be to send the original encrypted message using the throw- keyid switch, any re-sending of the message would not be able to identify the original sender, moreover, the message could also be sent using the option of 'screen viewing only' so that the plaintext could not be saved, except tediously by saving a screen shot, or re-typing the message, both of which can be 'denied' by the original sender, and can be proved by the forwarder, only by having someone witness the decryption. hth, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt build 7 http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBPLNNBGoFoLeFMG0lAQNFHgf+OmEDLzkChGzImWKeTK7Ma7sojVqGxUtJ pGCtwK/SEjhxeiX0p+6ejFalP0FTN0xUNMhJ+P+oOW20BEUiSJEGiYOPDnrhThyq nmg+jC2vgjEzGjdOo/CQ56XUh6ATQ1RRi2U5eahwftpzLQSPgSVrut9H4bmYT5OL 7Hk2MNQj5K1+9IwgjSrajs1DWv0Pbfx7ytrAAB2tnvx+KW6Qb5xQN8qMotbEI744 7q91c8VjMgu4w/L3TlkFigx1d4TJO/ZkFYclTgD43PbiYL3OcYE380MlYXxaD/rm 2JHdyD3jewyhkx+BAxiwaj/po7S45MVeoX5Ke8v7jF//eEBh8qCARQ== =AT2F -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g39KXVB11147 for ietf-openpgp-bks; Tue, 9 Apr 2002 13:33:31 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39KXUm11140; Tue, 9 Apr 2002 13:33:30 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g39KXh910576; Tue, 9 Apr 2002 16:33:43 -0400 (EDT) Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless To: mutz@kde.org Cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Tue, 9 Apr 2002 15:33:34 -0500 Message-ID: <OF3A202199.7C2245A5-ON86256B96.006FD4FD@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/09/2002 04:33:29 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz IMO, If forwarding the decrypted plaintext also removed the signature, there would be less trouble. The content could be reputiated, since it can't be distinguised from the forwarder just making it up. But I think PGP uses "sign, then encrypt" which means software could decrypt but leave the signature intact. As I recall, this was thought to be a non-problem with respect to re-targeting, because you can put the recipient's name in the message at the application level. e.g. "Dear Sue," is part of the message, so it can't be mistaken as a message to Joan. But that doesn't handle the issue of private information in the message. It's possible for Sue to reveal the signed message to someone else, who can verify the signature, without needing Sue's key. I would prefer if that were impossible--without Sue's key, the message can't be authenticated either. Marc Mutz <mutz@kde.org>@mail.imc.org on 04-09-2002 12:47:01 PM Sent by: owner-ietf-openpgp@mail.imc.org To: kmail@kde.org cc: ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ OK, I put this where it belongs: this touches OpenPGP and Internet messages, so I'm forwarding this to the ietf lists ] We have a problem and we think we are not alone with it (see the mozilla link below): What if, in a mail user agent, the user wants to forward an encrypted message? Allow it? Deny it? Re-encrypt or remove encryption? The problem is, of course, that the original sender might not like his encrypted text being sent out in the clear again... Was this discussed here already? What was the consensus reached, if any? Marc On Tuesday 09 April 2002 13:01, Volker Augustin wrote: > > Peronally, I think the best way is to ask the user > > what to do when forwarding (inlined) an encrypted message. We cannot > > prevent that he/she will forward the plaintext using a workaround. So we > > better delegate the resposibility for this action to the user itself. > > > > There is still the question, what should be the default way. Another way > > would to set the default to the last recently used way. Hm, I'm sure > > you'll find a good solution. > > That might be a good solution. When trying for forward bring up a dialog > asking whether to allow forwarding just this time or also for the future. > > I just did an intensive search via google. Here are some of my findings: > > 1. Some mail programs have an option to prevent forwarding of encrypted > messages. I could not find a single one explicitely preventing it. > Some commercial application however give the system administrator the > possibility to enforce this option system-wide. > > 2. RFC 1421 about PEM states (http://www.freesoft.org/CIE/RFC/1421/55.htm ) > > "Some level of support for generating and processing nested and > annotated PEM messages (for forwarding purposes) is to be provided, and an > implementation should be able to reduce ENCRYPTED messages to MIC-ONLY or > MIC-CLEAR for forwarding." > > 3. There is an IETF draft about "Intended Recipients Attribute for the > Cryptographic Message Syntax (CMS)" > (http://www.ietf.org/internet-drafts/draft-ietf-smime-ira-00.txt) saying > > "The problem of intent that as expressed in [MALFWD] is beyond the > control of S/MIME protocol or its implementers. The use of the digital > signatures and encryption is correctly in the hands of the user. > However, the intended recipients attribute offers a mechanism to reduce the > likelihood of undetected malicious forwarding." > > 4. The mozilla team has the same problem: > http://www.mozilla.org/mailnews/compose_send_plugin_arch_notes.html > > "open issues: > 1) forwarding an encrypted message? > 2) standards for content type S/MIME. PGP. GPG. OpenPGP. > 3) Eudora and Outlook, etc. what do we need to do to support reading > encrypted message from other clients? " > > Regards, > Volker > _______________________________________________ > KMail Developers mailing list > kmail@mail.kde.org > http://mail.kde.org/mailman/listinfo/kmail - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8sykV3oWD+L2/6DgRAqdGAJwNcRmGWoJScgyldtF8oRuZdkhJgwCgqSHS EVIhVDaYSbaBNwblKUbAu9Q= =Krt0 -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g39JX4c07882 for ietf-openpgp-bks; Tue, 9 Apr 2002 12:33:04 -0700 (PDT) Received: from yxa.extundo.com (178.230.13.217.in-addr.dgcsystems.net [217.13.230.178]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39JWvm07866; Tue, 9 Apr 2002 12:32:58 -0700 (PDT) Received: from localhost.localdomain (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.12.2/8.12.2) with ESMTP id g39JWoKY017344; Tue, 9 Apr 2002 21:32:52 +0200 To: Marc Mutz <mutz@kde.org> Cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless References: <20020407212139.21019.qmail@mail.kde.org> <200204091343.35655@osp-dd.de> <16uuO0-1O7bgOC@fmrl01.sul.t-online.com> <200204091947.03266@sendmail.mutz.com> In-Reply-To: <200204091947.03266@sendmail.mutz.com> (Marc Mutz's message of "Tue, 09 Apr 2002 19:47:01 +0200") From: Simon Josefsson <simon+ietf-openpgp@josefsson.org> Date: Tue, 09 Apr 2002 21:32:00 +0200 Message-ID: <iluzo0cwtvz.fsf@josefsson.org> Lines: 23 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.2 (i686-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Marc Mutz <mutz@kde.org> writes: > What if, in a mail user agent, the user wants to forward an encrypted message? > Allow it? Deny it? > Re-encrypt or remove encryption? > > The problem is, of course, that the original sender might not like his > encrypted text being sent out in the clear again... Then the original sender should not send the text to someone who will do that. I don't see how the standard could prevent the user from doing this. If it is prevented, then it is only the applications' doing, so it wouldn't be difficult to override it. This isn't a technical problem. Whenever you introduce encryption between two parties you have this issue. Whether to re-encrypt or remove encryption is up to the user forwarding the message. What the defaults should be probably depend too much on the application to give any generic recomendation on. Just my two cents. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g39J8gX05646 for ietf-openpgp-bks; Tue, 9 Apr 2002 12:08:42 -0700 (PDT) Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39J8em05642; Tue, 9 Apr 2002 12:08:40 -0700 (PDT) Received: from pc5211wxptfm (cp92837-a.dbsch1.nb.nl.home.com [217.120.34.92]) by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with SMTP id g39J8UnT027337; Tue, 9 Apr 2002 21:08:35 +0200 (CEST) From: "Leon Kuunders" <leon@netsecure.nl> To: "Marc Mutz" <mutz@kde.org>, <kmail@kde.org> Cc: <ietf-822@imc.org>, <ietf-openpgp@imc.org> Subject: RE: Bug#40394: forwarding an encrypted PGP message is useless Date: Tue, 9 Apr 2002 21:08:28 +0200 Message-ID: <EKEGIBNJHMGGCLBEEHHIEELFDLAA.leon@netsecure.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200204091947.03266@sendmail.mutz.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I don't know if this was discussed, but for me this is not a question of encryption, but of trust. If you don't like someone else to forward your messages, send them on paper. With a company logo, a watermark and a unique number. It is the risc of living :) -Leon. > -----Original Message----- > From: owner-ietf-openpgp@mail.imc.org > [mailto:owner-ietf-openpgp@mail.imc.org]On Behalf Of Marc Mutz > Sent: 09 April 2002 19:47 > To: kmail@kde.org > Cc: ietf-822@imc.org; ietf-openpgp@imc.org > Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > [ OK, I put this where it belongs: this touches OpenPGP and > Internet messages, > so I'm forwarding this to the ietf lists ] > > We have a problem and we think we are not alone with it (see the > mozilla link > below): > > What if, in a mail user agent, the user wants to forward an > encrypted message? > Allow it? Deny it? > Re-encrypt or remove encryption? > > The problem is, of course, that the original sender might not like his > encrypted text being sent out in the clear again... > > Was this discussed here already? What was the consensus reached, if any? > > Marc > > On Tuesday 09 April 2002 13:01, Volker Augustin wrote: > > > Peronally, I think the best way is to ask the user > > > what to do when forwarding (inlined) an encrypted message. We cannot > > > prevent that he/she will forward the plaintext using a > workaround. So we > > > better delegate the resposibility for this action to the user itself. > > > > > > There is still the question, what should be the default way. > Another way > > > would to set the default to the last recently used way. Hm, I'm sure > > > you'll find a good solution. > > > > That might be a good solution. When trying for forward bring up a dialog > > asking whether to allow forwarding just this time or also for > the future. > > > > I just did an intensive search via google. Here are some of my findings: > > > > 1. Some mail programs have an option to prevent forwarding of encrypted > > messages. I could not find a single one explicitely preventing it. > > Some commercial application however give the system administrator the > > possibility to enforce this option system-wide. > > > > 2. RFC 1421 about PEM states (http://www.freesoft.org/CIE/RFC/1421/55.htm) > > "Some level of support for generating and processing nested and > annotated PEM messages (for forwarding purposes) is to be provided, and an > implementation should be able to reduce ENCRYPTED messages to MIC-ONLY or > MIC-CLEAR for forwarding." > > 3. There is an IETF draft about "Intended Recipients Attribute for the > Cryptographic Message Syntax (CMS)" > (http://www.ietf.org/internet-drafts/draft-ietf-smime-ira-00.txt) saying > > "The problem of intent that as expressed in [MALFWD] is beyond the > control of S/MIME protocol or its implementers. The use of the digital > signatures and encryption is correctly in the hands of the user. > However, the intended recipients attribute offers a mechanism to reduce the > likelihood of undetected malicious forwarding." > > 4. The mozilla team has the same problem: > http://www.mozilla.org/mailnews/compose_send_plugin_arch_notes.html > > "open issues: > 1) forwarding an encrypted message? > 2) standards for content type S/MIME. PGP. GPG. OpenPGP. > 3) Eudora and Outlook, etc. what do we need to do to support reading > encrypted message from other clients? " > > Regards, > Volker > _______________________________________________ > KMail Developers mailing list > kmail@mail.kde.org > http://mail.kde.org/mailman/listinfo/kmail - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8sykV3oWD+L2/6DgRAqdGAJwNcRmGWoJScgyldtF8oRuZdkhJgwCgqSHS EVIhVDaYSbaBNwblKUbAu9Q= =Krt0 -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id g39IdfJ04937 for ietf-openpgp-bks; Tue, 9 Apr 2002 11:39:41 -0700 (PDT) Received: from melkebalanse.gulbrandsen.priv.no (melkebalanse.gulbrandsen.priv.no [217.19.171.131]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39Iddm04933; Tue, 9 Apr 2002 11:39:39 -0700 (PDT) Received: (from arnt@localhost) by melkebalanse.gulbrandsen.priv.no (8.11.6/8.11.6) id g39IdtR01308; Tue, 9 Apr 2002 20:39:55 +0200 Date: Tue, 9 Apr 2002 20:39:55 +0200 From: Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> To: Marc Mutz <mutz@kde.org> Cc: kmail@kde.org, ietf-822@imc.org, ietf-openpgp@imc.org Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless Message-ID: <20020409203955.G937@melkebalanse.gulbrandsen.priv.no> References: <20020407212139.21019.qmail@mail.kde.org> <200204091343.35655@osp-dd.de> <16uuO0-1O7bgOC@fmrl01.sul.t-online.com> <200204091947.03266@sendmail.mutz.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204091947.03266@sendmail.mutz.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Marc Mutz <mutz@kde.org> > The problem is, of course, that the original sender might not like his > encrypted text being sent out in the clear again... The original sender might not his text being sent out at all. He sent it to you; you're showing it to some third party. Personally, I suggest using as much encryption as reasonably possible. In general, and naturally also in this particular case. --Arnt Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g39IGtj03919 for ietf-openpgp-bks; Tue, 9 Apr 2002 11:16:55 -0700 (PDT) Received: from mail.uni-bielefeld.de (IDENT:72@mail2.uni-bielefeld.de [129.70.4.90]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39IGom03908; Tue, 9 Apr 2002 11:16:50 -0700 (PDT) Received: from dirichlet.mathematik.uni-bielefeld.de (ppp36-205.hrz.uni-bielefeld.de [129.70.36.205]) by mail.uni-bielefeld.de (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8) with ESMTP id <0GUB00E9BC3S26@mail.uni-bielefeld.de>; Tue, 9 Apr 2002 20:16:50 +0200 (MET DST) Date: Tue, 09 Apr 2002 19:47:01 +0200 From: Marc Mutz <mutz@kde.org> Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless In-reply-to: <16uuO0-1O7bgOC@fmrl01.sul.t-online.com> To: kmail@kde.org Cc: ietf-822@imc.org, ietf-openpgp@imc.org Message-id: <200204091947.03266@sendmail.mutz.com> Organization: KDE MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT User-Agent: KMail/1.4.5 X-PGP-Key: 0xBDBFE838 References: <20020407212139.21019.qmail@mail.kde.org> <200204091343.35655@osp-dd.de> <16uuO0-1O7bgOC@fmrl01.sul.t-online.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ OK, I put this where it belongs: this touches OpenPGP and Internet messages, so I'm forwarding this to the ietf lists ] We have a problem and we think we are not alone with it (see the mozilla link below): What if, in a mail user agent, the user wants to forward an encrypted message? Allow it? Deny it? Re-encrypt or remove encryption? The problem is, of course, that the original sender might not like his encrypted text being sent out in the clear again... Was this discussed here already? What was the consensus reached, if any? Marc On Tuesday 09 April 2002 13:01, Volker Augustin wrote: > > Peronally, I think the best way is to ask the user > > what to do when forwarding (inlined) an encrypted message. We cannot > > prevent that he/she will forward the plaintext using a workaround. So we > > better delegate the resposibility for this action to the user itself. > > > > There is still the question, what should be the default way. Another way > > would to set the default to the last recently used way. Hm, I'm sure > > you'll find a good solution. > > That might be a good solution. When trying for forward bring up a dialog > asking whether to allow forwarding just this time or also for the future. > > I just did an intensive search via google. Here are some of my findings: > > 1. Some mail programs have an option to prevent forwarding of encrypted > messages. I could not find a single one explicitely preventing it. > Some commercial application however give the system administrator the > possibility to enforce this option system-wide. > > 2. RFC 1421 about PEM states (http://www.freesoft.org/CIE/RFC/1421/55.htm) > > "Some level of support for generating and processing nested and > annotated PEM messages (for forwarding purposes) is to be provided, and an > implementation should be able to reduce ENCRYPTED messages to MIC-ONLY or > MIC-CLEAR for forwarding." > > 3. There is an IETF draft about "Intended Recipients Attribute for the > Cryptographic Message Syntax (CMS)" > (http://www.ietf.org/internet-drafts/draft-ietf-smime-ira-00.txt) saying > > "The problem of intent that as expressed in [MALFWD] is beyond the > control of S/MIME protocol or its implementers. The use of the digital > signatures and encryption is correctly in the hands of the user. > However, the intended recipients attribute offers a mechanism to reduce the > likelihood of undetected malicious forwarding." > > 4. The mozilla team has the same problem: > http://www.mozilla.org/mailnews/compose_send_plugin_arch_notes.html > > "open issues: > 1) forwarding an encrypted message? > 2) standards for content type S/MIME. PGP. GPG. OpenPGP. > 3) Eudora and Outlook, etc. what do we need to do to support reading > encrypted message from other clients? " > > Regards, > Volker > _______________________________________________ > KMail Developers mailing list > kmail@mail.kde.org > http://mail.kde.org/mailman/listinfo/kmail - -- Marc Mutz <mutz@kde.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8sykV3oWD+L2/6DgRAqdGAJwNcRmGWoJScgyldtF8oRuZdkhJgwCgqSHS EVIhVDaYSbaBNwblKUbAu9Q= =Krt0 -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g39F1Xb20911 for ietf-openpgp-bks; Tue, 9 Apr 2002 08:01:33 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g39F1Vm20901 for <ietf-openpgp@imc.org>; Tue, 9 Apr 2002 08:01:32 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g39F1k906437 for <ietf-openpgp@imc.org>; Tue, 9 Apr 2002 11:01:46 -0400 (EDT) Subject: Re: OpenPGP public key packet format To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Tue, 9 Apr 2002 10:01:32 -0500 Message-ID: <OFBF4C863F.7C9217E4-ON86256B96.00520FF1@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/09/2002 11:01:31 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz ======== For the subkeys, the key usage flags subpacket can go in the subkey signature. For the top level key, probably the best place is in the self-signature on all the userids. I think the commercial PGP versions look specifically in the self-sig on the primary userid. ====== Thanks. In the diagram in 11.1, what are the "Direct Key Self Signatures" that come before the first User ID? Note that the commercial PGP lets me change which ID is the "primary". So if it's looking there, it must be on all of them, and when adding another ID it must be consistant with what's gone before. I wonder, though, if programs just assume that the main key is for signing, and the first current subkey is for encrypting? In the case of DSA and the deprecated RSA-sign-only types, it is clear that the main key can only be used for signing, without the need for such a record. Received: by above.proper.com (8.11.6/8.11.3) id g38LFP908144 for ietf-openpgp-bks; Mon, 8 Apr 2002 14:15:25 -0700 (PDT) Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g38LFOm08140 for <ietf-openpgp@imc.org>; Mon, 8 Apr 2002 14:15:24 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id g38L6Ee12680; Mon, 8 Apr 2002 14:06:14 -0700 Date: Mon, 8 Apr 2002 14:06:14 -0700 From: "Hal Finney" <hal@finney.org> Message-Id: <200204082106.g38L6Ee12680@finney.org> To: ietf-openpgp@imc.org, john.dlugosz@kodak.com Subject: Re: OpenPGP public key packet format Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> John Dlugosz writes: > First, it seems that there are two utterly different version systems going > on. The "old packet" and "new packet" format allows more packet types in > the new format, but otherwise doesn't affect the content, since the Version > byte in the Type 6 (etc.) packet specifies Version 4 or 5. So NAI's > implementation (son of original PGP) uses old packets for "backward > compatibility" with v2.6, but then uses a Version 4 Public Key packet which > didn't exist before PGP 5.0, so using the older packet header is pointless. > What's the deal here? I'm supposing the real reason to use old packet > header is to save a byte, in cases where they can be used (tags < 16). If you're not interested in backwards compatibility with PGP 2, you can use the new format packet tags. If you require backwards compatibility, you must use the old format tags and only V3 RSA keys. If you're asking why the commercial PGP versions use old format tags with V4 DSA keys, it was in the hope that 2.6.2 could still parse the packets in terms of their lengths, and skip over their unrecognizable contents. > Second, how are the public key proper and the signing key specified? I'm > guessing that the key directly encoded in the Tag 6 is the signing(only) > key, and all subkey packets are for public message keys. The RFC says that > the sign/encrypt only types for RSA are no longer used, but rather flags in > the signature packet is used. I see the following: Public Key (tag 6), > User ID, Signature, User ID, Signature, Public Subkey, Signature. I have > two self-signed ID's (different email addresses), so I don't know what the > third one is for. I also suppose that although packets are not nested but > sequential, the "applies to" is implied as a hiararchy? That is, the sig > applies to the previous ID? Yes, there is an implied hierarchy. This is illustrated in section 11.1 of the RFC. > Anyway, with multiple signatures, does each one specify how the key is used > in addition to saying "I vouch for him", and how do you make sure they all > agree? Can someone clarify this, please? For the subkeys, the key usage flags subpacket can go in the subkey signature. For the top level key, probably the best place is in the self-signature on all the userids. I think the commercial PGP versions look specifically in the self-sig on the primary userid. The commercial versions of PGP do not support signature sub-keys. Hal Finney Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g38KUF806856 for ietf-openpgp-bks; Mon, 8 Apr 2002 13:30:15 -0700 (PDT) Received: from kodakr.kodak.com (kodakr.kodak.com [192.232.119.69]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g38KUDm06852 for <ietf-openpgp@imc.org>; Mon, 8 Apr 2002 13:30:14 -0700 (PDT) Received: from knotes.kodak.com (knotes2.ko.kodak.com [150.221.122.53]) by kodakr.kodak.com (8.11.1/8.11.1) with ESMTP id g38KUIm29400 for <ietf-openpgp@imc.org>; Mon, 8 Apr 2002 16:30:18 -0400 (EDT) Subject: OpenPGP public key packet format To: ietf-openpgp@imc.org From: john.dlugosz@kodak.com Date: Mon, 8 Apr 2002 15:30:08 -0500 Message-ID: <OF44CD1AAC.63C37445-ON86256B95.006F79E7@kodak.com> X-MIMETrack: Serialize by Router on KNOTES2/ISBP/EKC(Release 5.0.8 |June 18, 2001) at 04/08/2002 04:30:04 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> From: John Dlugosz I have a couple questions... First, it seems that there are two utterly different version systems going on. The "old packet" and "new packet" format allows more packet types in the new format, but otherwise doesn't affect the content, since the Version byte in the Type 6 (etc.) packet specifies Version 4 or 5. So NAI's implementation (son of original PGP) uses old packets for "backward compatibility" with v2.6, but then uses a Version 4 Public Key packet which didn't exist before PGP 5.0, so using the older packet header is pointless. What's the deal here? I'm supposing the real reason to use old packet header is to save a byte, in cases where they can be used (tags < 16). Second, how are the public key proper and the signing key specified? I'm guessing that the key directly encoded in the Tag 6 is the signing(only) key, and all subkey packets are for public message keys. The RFC says that the sign/encrypt only types for RSA are no longer used, but rather flags in the signature packet is used. I see the following: Public Key (tag 6), User ID, Signature, User ID, Signature, Public Subkey, Signature. I have two self-signed ID's (different email addresses), so I don't know what the third one is for. I also suppose that although packets are not nested but sequential, the "applies to" is implied as a hiararchy? That is, the sig applies to the previous ID? Anyway, with multiple signatures, does each one specify how the key is used in addition to saying "I vouch for him", and how do you make sure they all agree? Can someone clarify this, please? What I'm doing: I'm using OpenPGP in a system, and want to specify exactly which packets should be used, as the program may be limited to this. Also, want to make sure I get it right when manipulating these files. --John
- bis05: Armor Headers Marc Mutz
- Re: bis05: Armor Headers Werner Koch
- Re: bis05: Armor Headers David Shaw