Re: [openpgp] Intended Recipient Fingerprint signature subpacket

vedaal@nym.hush.com Tue, 06 March 2018 04:09 UTC

Return-Path: <vedaal@nym.hush.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53781127444 for <openpgp@ietfa.amsl.com>; Mon, 5 Mar 2018 20:09:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hush.ai
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XC-hS3OUFxGk for <openpgp@ietfa.amsl.com>; Mon, 5 Mar 2018 20:09:28 -0800 (PST)
Received: from smtp5.hushmail.com (smtp5.hushmail.com [65.39.178.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFBCA127869 for <openpgp@ietf.org>; Mon, 5 Mar 2018 20:09:28 -0800 (PST)
Received: from smtp5.hushmail.com (localhost [127.0.0.1]) by smtp5.hushmail.com (Postfix) with SMTP id 2EC2420DEA for <openpgp@ietf.org>; Tue, 6 Mar 2018 04:09:28 +0000 (UTC)
X-hush-tls-connected: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=hush.ai; h=date:to:subject:from; s=hush; bh=GiV7YT4nJ0BSL7mF//SvWnGzKMdAonqqirWNGfQvMt0=; b=rAOyy4WcatAHbspNQIXGJnaqkihqNeYvPghoGD69isCWWm9I+RkSJJh2lFi7OSe/faaeDA0lLXWNU2IvTdYZZejKXWm6BgiUNwgmWqH6Imdn6MsiDtRi8JD+iWDOEoc/PiFkbhORWdojSBzkE5BaQ3EOWK2ZhA4++3sU2lq1AGPojHXdrfeBeJS0iVgryGnQAFHwxKigPpwljzKamo4pQAIf3EoBYq3+qGaqvuW5gR9BufPj8UvViFrTxOVNYOHYHxoQuJqMDs55u+t7h2lHY3uaxSZhzbwxWGi+MPtuzSjzstjSG4w7L1EJL3/xepfnaHQnmxcEbW99f6CiqBWkHQ==
Received: from smtp.hushmail.com (w1.hushmail.com [65.39.178.83]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp5.hushmail.com (Postfix) with ESMTPS for <openpgp@ietf.org>; Tue, 6 Mar 2018 04:09:27 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99) id C83C66010D; Tue, 6 Mar 2018 04:09:27 +0000 (UTC)
MIME-Version: 1.0
Date: Mon, 05 Mar 2018 23:09:27 -0500
To: "openpgp" <openpgp@ietf.org>
From: vedaal@nym.hush.com
In-Reply-To: <20180305231951.GA21944@calamity>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20180306040927.C83C66010D@smtp.hushmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SLpwtsShWCEK7d2P8EOjX9b_YHc>
Subject: Re: [openpgp] Intended Recipient Fingerprint signature subpacket
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 04:09:30 -0000

On 3/5/2018 at 6:20 PM, "Vincent Breitmoser" <look@my.amazin.horse> wrote:
>
>Hey folks,
>
>dkg and I have been discussing an "Intended Recipient Fingerprint"
>subpacket, that pins a signature to be valid only in an encrypted
>context to the indicated recipient.
>
>Use of this subpacket removes some wiggling room for 
>signed+encrypted
>messages.  This can be used to prevent replay attacks, where a 
>signature
>is taken out of its context and forwarded to a different recipient.

======

In principle, it's a good idea.

But, the attacker could still send it along as a clearsigned message, and if the recipient accepts the message at face value, the attack succeeds.

There is really no substitute for fixing this in the context of the message itself.  Anything signed, should mention the person addressed in the text of the message.


Example:

message [1]

=====[begin text of message to be signed and encrypted to Bob]=====

Hi Bob,

Thanks for everything!

Love,

Alice

=====[end text of message to be signed and encrypted to Bob]=====


as opposed to this,

message [2]:

=====[begin text of message to be signed and encrypted to Bob]=====

Thanks for everything!

Love,

Alice

=====[end text of message to be signed and encrypted to Bob]=====


If at some later time, Bob and Alice had a falling out, Bob could send the second message to John, (a not so good friend of Alice). who now thinks Alice 'loves' him.

Bob could obviously never do this with the first message in the above example.

Again, more of an issue to be put in an advisory caution in the new rfc, rather than designing a new packet,  but if the new packet is easy to implement, then great.


vedaal