Re: [openpgp] [messaging] On Signed-Only Mails
Taylor R Campbell <campbell+moderncrypto@mumble.net> Tue, 29 November 2016 15:00 UTC
Return-Path: <campbell@mumble.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9DE9129BDC for <openpgp@ietfa.amsl.com>; Tue, 29 Nov 2016 07:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVwK8AvtS20R for <openpgp@ietfa.amsl.com>; Tue, 29 Nov 2016 07:00:18 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD9D129C02 for <openpgp@ietf.org>; Tue, 29 Nov 2016 07:00:18 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id BE60C603CA; Tue, 29 Nov 2016 15:00:10 +0000 (UTC)
From: Taylor R Campbell <campbell+moderncrypto@mumble.net>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-reply-to: <1480411542920.18425@cs.auckland.ac.nz> (pgut001@cs.auckland.ac.nz)
Date: Tue, 29 Nov 2016 15:00:17 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20161129150010.BE60C603CA@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/a8TCirLguj6kO2RAG3k3vtK9o9c>
X-Mailman-Approved-At: Mon, 05 Dec 2016 06:31:22 -0800
Cc: messaging@moderncrypto.org, openpgp@ietf.org, Vincent Breitmoser <look@my.amazin.horse>
Subject: Re: [openpgp] [messaging] On Signed-Only Mails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 15:00:20 -0000
Date: Tue, 29 Nov 2016 09:25:45 +0000 From: Peter Gutmann <pgut001@cs.auckland.ac.nz> Vincent Breitmoser <look@my.amazin.horse> writes: >In some more detail: >https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html > >[...] Signed-Only Mails are Useless [...] Yup, and it's for exactly the reasons given there that the S/MIME WG decided many years ago not to sign messages sent to the list. Courts, similarly, rule on the intent of the signer, not some attached bag of bits (see e.g. Steven Mason's excellent "Electronic Signatures in Law"). So while I wouldn't go so far as to call them harmful, I'd agree that they're mostly useless, unless you're using one to make some special point. Even then, if it's for legal purposes, a court will look at almost everything but the signature when deciding on its effect. Courts are not the only imaginable threat model for nonrepudiation of a sender's message[1]. End-to-end authentication is important for preventing forgery of conversations between two parties, but of the two ways to accomplish that -- signatures, where anyone can verify, vs authenticators, where only recipient can verify -- signatures work against the sender's interest with no benefit over authenticators in the vast majority of private messages. Unfortunately, OpenPGP doesn't have public-key authenticators -- nor authenticated encryption, and likewise S/MIME[2] -- so it's kludged up by an ad hoc composition of signature and encryption that fails to bind the sender and recipient, which has long been known to enable the recipient of a private message to resend it for comic effect or worse[5]. [1] Rob Graham, `Politifact: Yes we can fact check Kaine's email', Errata Security blog, 2016-10-23. http://blog.erratasec.com/2016/10/politifact-yes-we-can-fact-check-kaines.html [2] Except perhaps for static-static DH mode described in RFC 2631[3], but I've never seen evidence that anyone has ever used it in practice, and have seen evidence of avoiding it[4]. [3] Eric Rescorla, `Diffie-Hellman Key Agreement Method', RFC 2631, June 1999. https://www.ietf.org/rfc/rfc2630.txt [4] `The following features are lower in priority and are not likely to be included in version 1.0 [of the Mozilla S/MIME toolkit]: CMS: Static-static Diffie-Hellman Key Agreement Protocol (SSDH) (RFC2630 12.3.1.1)' http://www-archive.mozilla.org/projects/security/pki/nss/smime/ [retrieved 2016-11-29] [5] Don Davis, `Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML', 2001-05-05. http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
- [openpgp] On Signed-Only Mails Vincent Breitmoser
- Re: [openpgp] [messaging] On Signed-Only Mails Peter Gutmann
- Re: [openpgp] [messaging] On Signed-Only Mails Vincent Breitmoser
- Re: [openpgp] [messaging] On Signed-Only Mails Peter Gutmann
- Re: [openpgp] On Signed-Only Mails Kristian Fiskerstrand
- Re: [openpgp] On Signed-Only Mails Vincent Breitmoser
- Re: [openpgp] On Signed-Only Mails Brian Sniffen
- Re: [openpgp] On Signed-Only Mails brian m. carlson
- Re: [openpgp] On Signed-Only Mails Alexander Strobel
- Re: [openpgp] On Signed-Only Mails Peter Gutmann
- Re: [openpgp] On Signed-Only Mails Thijs van Dijk
- Re: [openpgp] On Signed-Only Mails Brian Sniffen
- Re: [openpgp] [messaging] On Signed-Only Mails Taylor R Campbell
- [openpgp] Steven Mason's "Electronic Signatures i… ianG
- Re: [openpgp] [messaging] On Signed-Only Mails ianG
- Re: [openpgp] [messaging] On Signed-Only Mails Phillip Hallam-Baker
- Re: [openpgp] Steven Mason's "Electronic Signatur… Phillip Hallam-Baker
- Re: [openpgp] Steven Mason's "Electronic Signatur… vedaal