RE: secure sign & encrypt

Terje Braaten <> Thu, 23 May 2002 21:36 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id RAA28352 for <>; Thu, 23 May 2002 17:36:33 -0400 (EDT)
Received: by (8.11.6/8.11.3) id g4NLRq715111 for ietf-openpgp-bks; Thu, 23 May 2002 14:27:52 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g4NLRoL15107 for <>; Thu, 23 May 2002 14:27:51 -0700 (PDT)
Received: by with Internet Mail Service (5.5.2653.19) id <LPCP1MXQ>; Thu, 23 May 2002 23:25:18 +0200
Message-ID: <>
From: Terje Braaten <>
Subject: RE: secure sign & encrypt
Date: Thu, 23 May 2002 23:25:17 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by id g4NLRpL15108
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 8bit

What is the problem I try to solve? I thought that had been clear
through the many mails I sent, but let me try to explain again.

1) Don Davis has a pretty good description of the problem in
	He lists many good reasons why this is a problem in section 4.

2) Many users seem to think that PGPs sign & encrypt function is atomic.
	We can try to teach them that is never was so, and never will be
	(a bad solution in my opinion) or we can give the users what they
	want/expect and make it possible to have an atomic sign & encrypt
	in PGP.

To word the problem in another way, when Alice send a message to Bob
that is signed and encrypted, Bob should be able to be sure that it
was Alice that encrypted the message.

Description of attack:

Alice send a signed & encrypted message to Charlie. Charlie decrypts
it and encrypts and sends it to Bob, trying to convince Bob the message
comes directly from Alice. Since Bob see the message is apparently
made by sign & encrypt he thinks it must be Alice that has encrypted it.

Some solutions:

	- Teach Bob not to trust PGPs sign & encrypt to know who the sender
	  of the message is when it is not in the plain text of the signed

	- Make PGP use Encrypt, Sign and Encrypt. (Slower
	  and bigger messages.)

	- Add fingerprints of recipient keys in signature packets (Requires
a change
	  in the protocol)
Terje BrĂ¥ten