Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 17 July 2013 19:06 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4EF821E8097 for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 12:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2udAUzSxLjvf for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 12:06:13 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id CEC3021E808F for <openpgp@ietf.org>; Wed, 17 Jul 2013 12:06:12 -0700 (PDT)
Received: from [192.168.23.229] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 6AAF4F948 for <openpgp@ietf.org>; Wed, 17 Jul 2013 15:06:09 -0400 (EDT)
Message-ID: <51E6EB1E.8010209@fifthhorseman.net>
Date: Wed, 17 Jul 2013 15:06:06 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130630 Icedove/17.0.7
MIME-Version: 1.0
To: openpgp@ietf.org
References: <51D360B2.1070709@gmx.com> <CAG5KPzybcunUE3wO90icgQK5EpWecGa1e5LzL+-57aCWPrqUsw@mail.gmail.com> <51E5BFFC.1040505@gmx.com> <CAG5KPzz-xmGOV8p9h0ho1WKNdEez4M0VvdsQ5JafBpWYntJo3Q@mail.gmail.com> <51E6E21C.4020708@gmx.com>
In-Reply-To: <51E6E21C.4020708@gmx.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="----enig2VMFDMUOCQFBRJNPXOAXT"
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 19:06:22 -0000
On 07/17/2013 02:27 PM, Ximin Luo wrote: > As per [2], if I ever sign a message consisting of "yes" or "no" or some other short message with very little context, the attacker (whom I encrypted the signed message to) could use this signed message in some other context, fooling people that I said something I didn't. One might argue "how unlikely", but it's still an unnecessary caveat (i.e. complexity) in using encrypted email, which will confuse people not familiar with the details. > > My original point was that this attack is a specific example of a general design flaw in encrypted email - i.e. unsigned/unencrypted headers. the attack you're describing above has nothing to do with encryption; it has to do with signatures. This is a fundamental vulnerability of any system that involves signed data that is dependent for interpretation on unsigned context. This is also the case for (e.g.) clearsigned plain text files. It sounds to me like you're proposing a way that some additional context could be automatically signed by compatible mail user agents. I think this is a fine idea, though i think it needs more detail than what has been sketched out here thus far. For example, what should a compatible MUA do if the signed message contains a signed copy of a header which doesn't match the unsigned header of the message in question? what if a signed message contains two sets of signed headers that conflict with each other? how should an MUA represent the idea that headers are signed? and so forth... it also sounds like it would be relevant for other e-mail signature standards too, since S/MIME (for example) might want the same sort of protection. This makes it out of scope for the current mailing list, since it isn't OpenPGP specific. Werner already suggested that gnupg-users@gnupg.org might be a reasonable place to have this more general discussion. Maybe followup should happen over there? Regards, --dkg
- [openpgp] signed/encrypted emails vs unsigned/une… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Werner Koch
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Werner Koch
- Re: [openpgp] signed/encrypted emails vs unsigned… Ben Laurie
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Werner Koch
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Werner Koch
- Re: [openpgp] signed/encrypted emails vs unsigned… Ben Laurie
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo
- Re: [openpgp] signed/encrypted emails vs unsigned… Daniel Kahn Gillmor
- Re: [openpgp] signed/encrypted emails vs unsigned… Ximin Luo