Re: [openpgp] [messaging] On Signed-Only Mails
ianG <iang@iang.org> Tue, 06 December 2016 18:48 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF22129A98 for <openpgp@ietfa.amsl.com>; Tue, 6 Dec 2016 10:48:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMh4R-unF9vQ for <openpgp@ietfa.amsl.com>; Tue, 6 Dec 2016 10:48:49 -0800 (PST)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1F5129A8F for <openpgp@ietf.org>; Tue, 6 Dec 2016 10:48:49 -0800 (PST)
Received: from tormenta.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 954CE6D7C8; Tue, 6 Dec 2016 13:48:48 -0500 (EST)
To: openpgp@ietf.org
References: <20161129091837.GA25812@littlepip.fritz.box> <1480411542920.18425@cs.auckland.ac.nz>
From: ianG <iang@iang.org>
Message-ID: <f84121d0-d1d7-3f7f-ab5b-48643bfe0ee3@iang.org>
Date: Tue, 06 Dec 2016 13:48:47 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <1480411542920.18425@cs.auckland.ac.nz>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SUo43L6mtu6n6Pv4YauEgdyfL1M>
Subject: Re: [openpgp] [messaging] On Signed-Only Mails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 18:48:50 -0000
On 29/11/2016 04:25, Peter Gutmann wrote: > Vincent Breitmoser <look@my.amazin.horse> writes: > >> In some more detail: >> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html >> >> [...] Signed-Only Mails are Useless [...] > > Yup, and it's for exactly the reasons given there that the S/MIME WG decided > many years ago not to sign messages sent to the list. Courts, similarly, rule > on the intent of the signer, not some attached bag of bits (see e.g. Steven > Mason's excellent "Electronic Signatures in Law"). So while I wouldn't go so > far as to call them harmful, I'd agree that they're mostly useless, unless > you're using one to make some special point. Which gets more to the point - the problem with digital signatures is that they mean different things to different people. Just the crypto alone cannot solve that problem. What is needed is a framework that states the meaning of the signature in human terms in a clear way. This hasn't really been done to my knowledge. CAs like CAcert have gone a long way towards establishing one meaning of a signature. But the "one meaning" thing has also been insufficient; we really need many meanings, and that needs more work. Bringing it back to the topic, what we are really saying is that "signed-only mails will be useless without some context" and in the contrary where emails are signed and encrypted, we are actually providing some context by implication: the signature is for authentication of the mail sender / key, which is a security statement not a legal statement, as is stressed by the inclusion of encryption;... and therefore we can presume that the signature is not for legal purposes. Note that it's still a presumption based on custom not statement. To put that another way around - when we just do signed emails, are we doing an authentication (security) statement or are we intending a legal (signing) statement? It's not clear. We might be clearer by saying that plaintext sigs are more legal and binary ones are more authentication, but that's not backed up by any custom or anything. > Even then, if it's for legal > purposes, a court will look at almost everything but the signature when > deciding on its effect. Right, and now we have the problem that a digsig probably is a lousy legal signature anyway, if used without any context. But does that make it not a legal signature? No. The closer statement might be: "signatures don't make their purpose clear, and therefore they are often so confusing as to be useless." iang
- [openpgp] On Signed-Only Mails Vincent Breitmoser
- Re: [openpgp] [messaging] On Signed-Only Mails Peter Gutmann
- Re: [openpgp] [messaging] On Signed-Only Mails Vincent Breitmoser
- Re: [openpgp] [messaging] On Signed-Only Mails Peter Gutmann
- Re: [openpgp] On Signed-Only Mails Kristian Fiskerstrand
- Re: [openpgp] On Signed-Only Mails Vincent Breitmoser
- Re: [openpgp] On Signed-Only Mails Brian Sniffen
- Re: [openpgp] On Signed-Only Mails brian m. carlson
- Re: [openpgp] On Signed-Only Mails Alexander Strobel
- Re: [openpgp] On Signed-Only Mails Peter Gutmann
- Re: [openpgp] On Signed-Only Mails Thijs van Dijk
- Re: [openpgp] On Signed-Only Mails Brian Sniffen
- Re: [openpgp] [messaging] On Signed-Only Mails Taylor R Campbell
- [openpgp] Steven Mason's "Electronic Signatures i… ianG
- Re: [openpgp] [messaging] On Signed-Only Mails ianG
- Re: [openpgp] [messaging] On Signed-Only Mails Phillip Hallam-Baker
- Re: [openpgp] Steven Mason's "Electronic Signatur… Phillip Hallam-Baker
- Re: [openpgp] Steven Mason's "Electronic Signatur… vedaal