IETF Logo Mail Archive

Re: Recipient-verifiable messages

"David P. Kemp" <dpkemp@missi.ncsc.mil> Fri, 12 April 2002 00:21 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA21083 for <openpgp-archive@odin.ietf.org>; Thu, 11 Apr 2002 20:21:25 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g3C064k28643 for ietf-openpgp-bks; Thu, 11 Apr 2002 17:06:04 -0700 (PDT)
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3C063m28638 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 17:06:03 -0700 (PDT)
Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id g3C05Ws13763 for <ietf-openpgp@imc.org>; Thu, 11 Apr 2002 20:05:32 -0400 (EDT)
Message-ID: <200204120005.g3C05VL13758@stingray.missi.ncsc.mil>
Date: Thu, 11 Apr 2002 20:06:33 -0400
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
CC: ietf-openpgp@imc.org
Subject: Re: Recipient-verifiable messages
References: <200204111545.g3BFjdw11622@finney.org> <p0510153cb8dbc0a982fc@[192.168.1.97]>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

Jon Callas wrote:
> 
> >David Chaum has a patent on a variation on this idea, and he gave a talk
> >at PGP several years ago in which he advocated that recipient-verifiable
> >signatures are very useful, and in fact ought to be the default for
> >an email encryption system like PGP.  As others in this thread have
> >commented, often you don't want to sign something such that you can
> >be bound by it later, but you do want to assure the recipient that the
> >message is authentic.  Only rarely do you want to make a signature that
> >anyone can read.
> >
> >Unfortunately I think that adding a new flavor of signature would tend
> >to create confusion among users who at best barely understand public
> >key cryptography.  The new kind of signature would have very different
> >security properties and usage scenarios, so it would add additional
> >complexity for people to deal with.
> 
> Could we do something both simple and useful, however?
> 
> For example, if I send a message to Alice, the signature could be made
> safely as a combo of my key and Alice's key. It would not be a
> misrepresentation in Alice's MUA for it to assume I signed it. You'd have
> to be careful in the UI, but I think it could be done. It might be able to
> be extended to multiple recipients, but with two it might be an easy
> hand-wave.


What is the difference between a "recipient-verifiable signature" and
a MAC?

One of the properties of a digital signature mechanism is that it
is computationally infeasible for any entity other than the signer
to find, for any message, a signature value that is valid for that
message.  [HAC, p.23]

Thus it would seem that a "signature" that can't be bound later
to the signer is an oxymoron.  Why not just call it an authentication
code, where it is accepted that anyone who can verify a MAC has
the information necessary to create it.

v2.23.0 | Report a Bug | By Email