Re: secure sign & encrypt

"Michael Young" <> Sat, 25 May 2002 01:09 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id VAA23182 for <>; Fri, 24 May 2002 21:09:45 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by (8.11.6/8.11.3) id g4P0v2V01037 for ietf-openpgp-bks; Fri, 24 May 2002 17:57:02 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with ESMTP id g4P0utL01031 for <>; Fri, 24 May 2002 17:57:01 -0700 (PDT)
Received: from mwyoung ([]) by (Netscape Messaging Server 4.15) with SMTP id GWN6NI02.5S3 for <>; Fri, 24 May 2002 20:57:18 -0400
Message-ID: <00dd01c20386$f545f9a0$>
From: "Michael Young" <>
To: <>
References: <>
Subject: Re: secure sign & encrypt
Date: Fri, 24 May 2002 20:56:08 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

Hash: SHA1

Subject: Re: secure sign & encrypt
X-Comment: I, too, was hoping that this would die out before
  the urge to weigh in overwhelmed me, but it hasn't :-).

I generally side with Jon, Hal, and Derek here.  The intended
recipient is only one of many pieces of context that a user
might mistakenly believe was included in the signed material.
Adding a subpacket to address just this one piece of context
doesn't strike me as necessary, particularly since there are
very reasonable solutions within the existing framework:
notation subpackets; or, layered (encrypt-sign-encrypt) processing.

Ultimately the problem is one of user misunderstanding, arguably
exacerbated by the user interfaces in specific implementations.
Either the users need to be better educated, or the implementations
need to do a better job expressing exactly what has been signed
(and, perhaps, for naive users, the indirect implications).
Neither requires a change to the specification, just to the
implementation (of the tool or the user :-).

I appreciate Terje's desire to encode context so that it can be
checked automatically, and a desire for a convention for doing the
encoding, for implementations that want to do so.  I would have no
objection to publishing a convention for encoding the intended
recipients in a notation packet.  That wouldn't have to be part of the
base RFC.  That said, I wouldn't *strenuously* object to this being
documented in the base RFC, or even to a new OPTIONAL subpacket.  I
just don't think it helps enough: it doesn't cover other context;
and, it doesn't help for "legacy" messages.  Here "legacy" means
both old implementations (that don't support the packet) and
old V3 signatures (which don't have subpackets at all).

A few specific comments on one of Terje's notes:

> To word the problem in another way, when Alice send a message to Bob
> that is signed and encrypted, Bob should be able to be sure that it
> was Alice that encrypted the message.

I disagree that this is a fundamental goal -- it is a derived one.
The real goal is more likely that Bob wants to know that the message
is intended for him.  Knowing that Alice encrypted it is neither
necessary nor sufficient to meet this real goal.  I think this
difference is what Derek was getting at when he asked about goals.

> Some solutions:
> - Teach Bob not to trust PGPs sign & encrypt to know who the sender

Perhaps, as a means of teaching Bob:
  - Warn Bob about the limitations, something like:
    "The signature does not name you as the recipient.  This document
     may have been forwarded to you by the original recipient.
     Do not assume that it was intended for you."

    This may seem verbose, but naive users often have problems
    with shorthands for complex concepts: "(Invalid)" comes to mind :-).

    Again, this is the best that you can do for legacy messages, anyway.

> - Make PGP use Encrypt, Sign and Encrypt.

It's fine to have a particular implementation adopt this layering (or
to offer it as an option).  It would be very wrong to legislate this
particular layering.  While users may not understand the implications
of particular layerings, implementors clearly should understand, and
should be trusted to choose the layering appropriate for their
perceived users' needs.  You may want a tool that offers
encrypt-sign-encrypt (to identify the intended recipient); someone
else may want a tool that meets other goals (e.g., anonymity or
plausible deniability).  Any good tool should make it clear what
function it is performing, but that's not a *protocol specification*

> - Add fingerprints of recipient keys in signature packets (Requires
> a change
>   in the protocol)

  - Offer to copy context into the plaintext, or into notations.
    For example, an MUA might offer to copy the "To", "cc", and "Subject"
    headers.  It could even inject an "X-To-PGP-Key" header to record the
    key fingerprint/ID for automatic verification by like-minded agents.
    There's no deep reason that this requires a protocol change.

Version: PGP Personal Privacy 6.5.3