Re: [openpgp] [messaging] On Signed-Only Mails

Taylor R Campbell <campbell+moderncrypto@mumble.net> Tue, 29 November 2016 15:00 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9DE9129BDC for <openpgp@ietfa.amsl.com>; Tue, 29 Nov 2016 07:00:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVwK8AvtS20R for <openpgp@ietfa.amsl.com>; Tue, 29 Nov 2016 07:00:18 -0800 (PST)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD9D129C02 for <openpgp@ietf.org>; Tue, 29 Nov 2016 07:00:18 -0800 (PST)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id BE60C603CA; Tue, 29 Nov 2016 15:00:10 +0000 (UTC)
From: Taylor R Campbell <campbell+moderncrypto@mumble.net>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
In-reply-to: <1480411542920.18425@cs.auckland.ac.nz> (pgut001@cs.auckland.ac.nz)
Date: Tue, 29 Nov 2016 15:00:17 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <20161129150010.BE60C603CA@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/a8TCirLguj6kO2RAG3k3vtK9o9c>
X-Mailman-Approved-At: Mon, 05 Dec 2016 06:31:22 -0800
Cc: messaging@moderncrypto.org, openpgp@ietf.org, Vincent Breitmoser <look@my.amazin.horse>
Subject: Re: [openpgp] [messaging] On Signed-Only Mails
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 15:00:20 -0000

   Date: Tue, 29 Nov 2016 09:25:45 +0000
   From: Peter Gutmann <pgut001@cs.auckland.ac.nz>

   Vincent Breitmoser <look@my.amazin.horse> writes:

   >In some more detail:
   >https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
   >
   >[...] Signed-Only Mails are Useless [...]

   Yup, and it's for exactly the reasons given there that the S/MIME
   WG decided many years ago not to sign messages sent to the list.
   Courts, similarly, rule on the intent of the signer, not some
   attached bag of bits (see e.g. Steven Mason's excellent "Electronic
   Signatures in Law").  So while I wouldn't go so far as to call them
   harmful, I'd agree that they're mostly useless, unless you're using
   one to make some special point.  Even then, if it's for legal
   purposes, a court will look at almost everything but the signature
   when deciding on its effect.

Courts are not the only imaginable threat model for nonrepudiation of
a sender's message[1].

End-to-end authentication is important for preventing forgery of
conversations between two parties, but of the two ways to accomplish
that -- signatures, where anyone can verify, vs authenticators, where
only recipient can verify -- signatures work against the sender's
interest with no benefit over authenticators in the vast majority of
private messages.

Unfortunately, OpenPGP doesn't have public-key authenticators -- nor
authenticated encryption, and likewise S/MIME[2] -- so it's kludged up
by an ad hoc composition of signature and encryption that fails to
bind the sender and recipient, which has long been known to enable the
recipient of a private message to resend it for comic effect or
worse[5].


[1] Rob Graham, `Politifact: Yes we can fact check Kaine's email',
Errata Security blog, 2016-10-23.
http://blog.erratasec.com/2016/10/politifact-yes-we-can-fact-check-kaines.html

[2] Except perhaps for static-static DH mode described in RFC 2631[3],
but I've never seen evidence that anyone has ever used it in practice,
and have seen evidence of avoiding it[4].

[3] Eric Rescorla, `Diffie-Hellman Key Agreement Method', RFC 2631,
June 1999.
https://www.ietf.org/rfc/rfc2630.txt

[4] `The following features are lower in priority and are not likely
to be included in version 1.0 [of the Mozilla S/MIME toolkit]: CMS:
Static-static Diffie-Hellman Key Agreement Protocol (SSDH) (RFC2630
12.3.1.1)'
http://www-archive.mozilla.org/projects/security/pki/nss/smime/
[retrieved 2016-11-29]

[5] Don Davis, `Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML', 2001-05-05.
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html