Re: secure sign & encrypt

[Derek Atkins <derek@ihtfp.com>]

sorry, vedaal, but you are incorrect.  With current OpenPGP is _IS_
possible to strip off the encryption from a message and re-encrypt it
to another user, keeping the signature intact.  In fact, back in the
early 90's (and mid-90's when we were first designing the pre-OpenPGP
packets), this was in fact a design goal!

Remember that a signed/encrypted message looks like:

        ESK{PubA, K} ... Enc{K, PreSig{Hash{M}}, Lit{M}, PostSig{Hash{M}}}

Given this format, you can easily replace the K in ESK{} and Enc{}
without destroying the Presig,Literal,PostSig packets.

Now, it may be that the current _implementations_ do not make it easy
for a user to do so, but that is an implementation detail, not a
protocol detail.  The protocol could allow you to do so.

-derek

"vedaal" <vedaal@hotmail.com> writes:

> ----- Original Message -----
> From: "Terje Braaten" <Terje.Braaten@concept.fr>
> To: <ietf-openpgp@imc.org>
> Sent: Monday, May 20, 2002 7:31 PM
> Subject: RE: secure sign & encrypt
> 
> [...]
> 
>  > The problem is that most users when they decrypt a message
> > that is signed, they will think they can be sure the signer
> > and the encrypter is the same person/entity.
> > It would be a major improvement in the OpenPGP specification
> > to allow applications to ensure that that really is the case.
> 
> [...]
> 
> Functionally, that is the case now in Open PGP.
> 
> Even though a signed and encrypted message can be separated into a
> verifiable free standing signed message, and then
> re-encrypted and sent on to someone else,
> it 'cannot' {afaik} be re-combined into a signed and encrypted message that
> appears the same as a de-novo signed and encrypted message.
> 
> The most that can be done with the separation and re-encryption, is to have
> a message, that upon decryption, is clearsigned,
> or armored signed, and even the armored signed message is clearly of a
> different form than a de novo armored signed message;
> {a de novo armored signed message always has the message block begin with
> the letters 'ow', the separated armored signed
> message never does}.
> 
> Someone receiving a re-encrypted separated signed message, can instantly
> tell upon decryption, that it was an 'intentionally'
> re-encrypted message, and not an original.
> 
> The only time that this could be a problem, is for very new users, who may
> inadvertently get into a habit of clearsigning and then encrypting, instead
> of using the one-function 'sign and encrypt' , and as soon as it is pointed
> out to them that it is simpler and easier to use 'sign and encrypt' single
> function, they will probably do so.
> 
> hth,
> 
> vedaal
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com