Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

Ximin Luo <infinity0@gmx.com> Wed, 17 July 2013 19:42 UTC

Return-Path: <infinity0@gmx.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9C7621F8F67 for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 12:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level:
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23eaRr8HfAaS for <openpgp@ietfa.amsl.com>; Wed, 17 Jul 2013 12:42:30 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 18FBC21E804C for <openpgp@ietf.org>; Wed, 17 Jul 2013 12:42:27 -0700 (PDT)
Received: from [192.168.1.66] ([109.152.229.244]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LpObx-1UTlYu1aOz-00fAgT for <openpgp@ietf.org>; Wed, 17 Jul 2013 21:42:21 +0200
Message-ID: <51E6F39A.8040805@gmx.com>
Date: Wed, 17 Jul 2013 20:42:18 +0100
From: Ximin Luo <infinity0@gmx.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Icedove/17.0.5
MIME-Version: 1.0
To: openpgp@ietf.org
References: <51D360B2.1070709@gmx.com> <CAG5KPzybcunUE3wO90icgQK5EpWecGa1e5LzL+-57aCWPrqUsw@mail.gmail.com> <51E5BFFC.1040505@gmx.com> <CAG5KPzz-xmGOV8p9h0ho1WKNdEez4M0VvdsQ5JafBpWYntJo3Q@mail.gmail.com> <51E6E21C.4020708@gmx.com> <51E6EB1E.8010209@fifthhorseman.net>
In-Reply-To: <51E6EB1E.8010209@fifthhorseman.net>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2ETDSLCAUJIKFSFISSUQT"
X-Provags-ID: V03:K0:JvZNSf9CMJuy+8FDrOJ2D/qQk3J4m+ich8ZT8NGnb0GSRQvQ/3+ mmfa/vALm+dcnGNrFiGgwOZdaMzH2GWew2EQuiBcEYxYIljYd+2wNgWtcSqMA2ObbFx3zHU OlQiGZqdtR3c6ldVR25l6kgckgbrtVIEvFWdhrPqp5ax7L8oAVaSgEhm81UdabPeDPengMo ICfVx1uhWlcVYvv29F+HQ==
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 19:42:35 -0000

On 17/07/13 20:06, Daniel Kahn Gillmor wrote:
> On 07/17/2013 02:27 PM, Ximin Luo wrote:
>> As per [2], if I ever sign a message consisting of "yes" or "no" or some other short message with very little context, the attacker (whom I encrypted the signed message to) could use this signed message in some other context, fooling people that I said something I didn't. One might argue "how unlikely", but it's still an unnecessary caveat (i.e. complexity) in using encrypted email, which will confuse people not familiar with the details.
>>
>> My original point was that this attack is a specific example of a general design flaw in encrypted email - i.e. unsigned/unencrypted headers.
> 
> the attack you're describing above has nothing to do with encryption; it
> has to do with signatures.
> 
> This is a fundamental vulnerability of any system that involves signed
> data that is dependent for interpretation on unsigned context.  This is
> also the case for (e.g.) clearsigned plain text files.
> 

It is *mostly* to do with signatures yes, but encryption does play a part - it adds the implicit *non-signed* information that the data is a message TO someone. (Although I take your point, a signed non-encrypted email also has this implicit metadata, and is vulnerable too.) If you signed a self-contained plain text file, this is not necessarily the case.

> It sounds to me like you're proposing a way that some additional context
> could be automatically signed by compatible mail user agents.  I think
> this is a fine idea, though i think it needs more detail than what has
> been sketched out here thus far.  For example, what should a compatible
> MUA do if the signed message contains a signed copy of a header which
> doesn't match the unsigned header of the message in question?  what if a
> signed message contains two sets of signed headers that conflict with
> each other?  how should an MUA represent the idea that headers are
> signed?  and so forth...
> 
> it also sounds like it would be relevant for other e-mail signature
> standards too, since S/MIME (for example) might want the same sort of
> protection.  This makes it out of scope for the current mailing list,
> since it isn't OpenPGP specific.
> 
> Werner already suggested that gnupg-users@gnupg.org might be a
> reasonable place to have this more general discussion.  Maybe followup
> should happen over there?
> 

Good points and yes, I will take this discussion there.

Thanks for all the info and comments everyone!