Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

Ximin Luo <> Wed, 17 July 2013 19:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B9C7621F8F67 for <>; Wed, 17 Jul 2013 12:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 23eaRr8HfAaS for <>; Wed, 17 Jul 2013 12:42:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 18FBC21E804C for <>; Wed, 17 Jul 2013 12:42:27 -0700 (PDT)
Received: from [] ([]) by (mrgmx101) with ESMTPSA (Nemesis) id 0LpObx-1UTlYu1aOz-00fAgT for <>; Wed, 17 Jul 2013 21:42:21 +0200
Message-ID: <>
Date: Wed, 17 Jul 2013 20:42:18 +0100
From: Ximin Luo <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Icedove/17.0.5
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2ETDSLCAUJIKFSFISSUQT"
X-Provags-ID: V03:K0:JvZNSf9CMJuy+8FDrOJ2D/qQk3J4m+ich8ZT8NGnb0GSRQvQ/3+ mmfa/vALm+dcnGNrFiGgwOZdaMzH2GWew2EQuiBcEYxYIljYd+2wNgWtcSqMA2ObbFx3zHU OlQiGZqdtR3c6ldVR25l6kgckgbrtVIEvFWdhrPqp5ax7L8oAVaSgEhm81UdabPeDPengMo ICfVx1uhWlcVYvv29F+HQ==
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jul 2013 19:42:35 -0000

On 17/07/13 20:06, Daniel Kahn Gillmor wrote:
> On 07/17/2013 02:27 PM, Ximin Luo wrote:
>> As per [2], if I ever sign a message consisting of "yes" or "no" or some other short message with very little context, the attacker (whom I encrypted the signed message to) could use this signed message in some other context, fooling people that I said something I didn't. One might argue "how unlikely", but it's still an unnecessary caveat (i.e. complexity) in using encrypted email, which will confuse people not familiar with the details.
>> My original point was that this attack is a specific example of a general design flaw in encrypted email - i.e. unsigned/unencrypted headers.
> the attack you're describing above has nothing to do with encryption; it
> has to do with signatures.
> This is a fundamental vulnerability of any system that involves signed
> data that is dependent for interpretation on unsigned context.  This is
> also the case for (e.g.) clearsigned plain text files.

It is *mostly* to do with signatures yes, but encryption does play a part - it adds the implicit *non-signed* information that the data is a message TO someone. (Although I take your point, a signed non-encrypted email also has this implicit metadata, and is vulnerable too.) If you signed a self-contained plain text file, this is not necessarily the case.

> It sounds to me like you're proposing a way that some additional context
> could be automatically signed by compatible mail user agents.  I think
> this is a fine idea, though i think it needs more detail than what has
> been sketched out here thus far.  For example, what should a compatible
> MUA do if the signed message contains a signed copy of a header which
> doesn't match the unsigned header of the message in question?  what if a
> signed message contains two sets of signed headers that conflict with
> each other?  how should an MUA represent the idea that headers are
> signed?  and so forth...
> it also sounds like it would be relevant for other e-mail signature
> standards too, since S/MIME (for example) might want the same sort of
> protection.  This makes it out of scope for the current mailing list,
> since it isn't OpenPGP specific.
> Werner already suggested that might be a
> reasonable place to have this more general discussion.  Maybe followup
> should happen over there?

Good points and yes, I will take this discussion there.

Thanks for all the info and comments everyone!