Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 17 July 2013 19:06 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4EF821E8097 for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 12:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2udAUzSxLjvf for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 12:06:13 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CEC3021E808F for <openpgp@ietf.org>; Wed, 17 Jul 2013 12:06:12 -0700 (PDT)
Received: from [192.168.23.229] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 6AAF4F948 for <openpgp@ietf.org>; Wed, 17 Jul 2013 15:06:09 -0400 (EDT)
Message-ID: <51E6EB1E.8010209@fifthhorseman.net>
Date: Wed, 17 Jul 2013 15:06:06 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7
MIME-Version: 1.0
To: openpgp@ietf.org
References: <51D360B2.1070709@gmx.com> <CAG5KPzybcunUE3wO90icgQK5EpWecGa1e5LzL+-57aCWPrqUsw@mail.gmail.com> <51E5BFFC.1040505@gmx.com> <CAG5KPzz-xmGOV8p9h0ho1WKNdEez4M0VvdsQ5JafBpWYntJo3Q@mail.gmail.com> <51E6E21C.4020708@gmx.com>
In-Reply-To: <51E6E21C.4020708@gmx.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="----enig2VMFDMUOCQFBRJNPXOAXT"
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 19:06:22 -0000

On 07/17/2013 02:27 PM, Ximin Luo wrote:
> As per [2], if I ever sign a message consisting of "yes" or "no" or some other short message with very little context, the attacker (whom I encrypted the signed message to) could use this signed message in some other context, fooling people that I said something I didn't. One might argue "how unlikely", but it's still an unnecessary caveat (i.e. complexity) in using encrypted email, which will confuse people not familiar with the details.
> 
> My original point was that this attack is a specific example of a general design flaw in encrypted email - i.e. unsigned/unencrypted headers.

the attack you're describing above has nothing to do with encryption; it
has to do with signatures.

This is a fundamental vulnerability of any system that involves signed
data that is dependent for interpretation on unsigned context.  This is
also the case for (e.g.) clearsigned plain text files.

It sounds to me like you're proposing a way that some additional context
could be automatically signed by compatible mail user agents.  I think
this is a fine idea, though i think it needs more detail than what has
been sketched out here thus far.  For example, what should a compatible
MUA do if the signed message contains a signed copy of a header which
doesn't match the unsigned header of the message in question?  what if a
signed message contains two sets of signed headers that conflict with
each other?  how should an MUA represent the idea that headers are
signed?  and so forth...

it also sounds like it would be relevant for other e-mail signature
standards too, since S/MIME (for example) might want the same sort of
protection.  This makes it out of scope for the current mailing list,
since it isn't OpenPGP specific.

Werner already suggested that gnupg-users@gnupg.org might be a
reasonable place to have this more general discussion.  Maybe followup
should happen over there?

Regards,

	--dkg