Re: secure sign & encrypt
"Michael Young" <mwy-opgp97@the-youngs.org> Sat, 25 May 2002 01:09 UTC
Received: from above.proper.com (mail.imc.org [208.184.76.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA23182 for <openpgp-archive@odin.ietf.org>; Fri, 24 May 2002 21:09:45 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g4P0v2V01037 for ietf-openpgp-bks; Fri, 24 May 2002 17:57:02 -0700 (PDT)
Received: from smtprelay8.dc2.adelphia.net (smtprelay8.dc2.adelphia.net [64.8.50.40]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4P0utL01031 for <ietf-openpgp@imc.org>; Fri, 24 May 2002 17:57:01 -0700 (PDT)
Received: from mwyoung ([24.48.51.230]) by smtprelay8.dc2.adelphia.net (Netscape Messaging Server 4.15) with SMTP id GWN6NI02.5S3 for <ietf-openpgp@imc.org>; Fri, 24 May 2002 20:57:18 -0400
Message-ID: <00dd01c20386$f545f9a0$c23fa8c0@transarc.ibm.com>
From: Michael Young <mwy-opgp97@the-youngs.org>
To: ietf-openpgp@imc.org
References: <1F4F2D8ADFFCD411819300B0D0AA862E29ABF7@csexch.Conceptfr.net>
Subject: Re: secure sign & encrypt
Date: Fri, 24 May 2002 20:56:08 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To: ietf-openpgp@imc.org Subject: Re: secure sign & encrypt X-Comment: I, too, was hoping that this would die out before the urge to weigh in overwhelmed me, but it hasn't :-). I generally side with Jon, Hal, and Derek here. The intended recipient is only one of many pieces of context that a user might mistakenly believe was included in the signed material. Adding a subpacket to address just this one piece of context doesn't strike me as necessary, particularly since there are very reasonable solutions within the existing framework: notation subpackets; or, layered (encrypt-sign-encrypt) processing. Ultimately the problem is one of user misunderstanding, arguably exacerbated by the user interfaces in specific implementations. Either the users need to be better educated, or the implementations need to do a better job expressing exactly what has been signed (and, perhaps, for naive users, the indirect implications). Neither requires a change to the specification, just to the implementation (of the tool or the user :-). I appreciate Terje's desire to encode context so that it can be checked automatically, and a desire for a convention for doing the encoding, for implementations that want to do so. I would have no objection to publishing a convention for encoding the intended recipients in a notation packet. That wouldn't have to be part of the base RFC. That said, I wouldn't *strenuously* object to this being documented in the base RFC, or even to a new OPTIONAL subpacket. I just don't think it helps enough: it doesn't cover other context; and, it doesn't help for "legacy" messages. Here "legacy" means both old implementations (that don't support the packet) and old V3 signatures (which don't have subpackets at all). A few specific comments on one of Terje's notes: > To word the problem in another way, when Alice send a message to Bob > that is signed and encrypted, Bob should be able to be sure that it > was Alice that encrypted the message. I disagree that this is a fundamental goal -- it is a derived one. The real goal is more likely that Bob wants to know that the message is intended for him. Knowing that Alice encrypted it is neither necessary nor sufficient to meet this real goal. I think this difference is what Derek was getting at when he asked about goals. > Some solutions: > - Teach Bob not to trust PGPs sign & encrypt to know who the sender Perhaps, as a means of teaching Bob: - Warn Bob about the limitations, something like: "The signature does not name you as the recipient. This document may have been forwarded to you by the original recipient. Do not assume that it was intended for you." This may seem verbose, but naive users often have problems with shorthands for complex concepts: "(Invalid)" comes to mind :-). Again, this is the best that you can do for legacy messages, anyway. > - Make PGP use Encrypt, Sign and Encrypt. It's fine to have a particular implementation adopt this layering (or to offer it as an option). It would be very wrong to legislate this particular layering. While users may not understand the implications of particular layerings, implementors clearly should understand, and should be trusted to choose the layering appropriate for their perceived users' needs. You may want a tool that offers encrypt-sign-encrypt (to identify the intended recipient); someone else may want a tool that meets other goals (e.g., anonymity or plausible deniability). Any good tool should make it clear what function it is performing, but that's not a *protocol specification* issue. > - Add fingerprints of recipient keys in signature packets (Requires > a change > in the protocol) Or, - Offer to copy context into the plaintext, or into notations. For example, an MUA might offer to copy the "To", "cc", and "Subject" headers. It could even inject an "X-To-PGP-Key" header to record the key fingerprint/ID for automatic verification by like-minded agents. There's no deep reason that this requires a protocol change. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA+AwUBPO7hEFMkvpTT8vCGEQL7FgCYtT6tpDktAg76EHnLwzyjBY6qzgCgudgy q/a45lzca9Bqq+m6FmlLlVo= =VplY -----END PGP SIGNATURE-----
- secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Hal Finney
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt vedaal
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt vedaal
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt vedaal
- Re: secure sign & encrypt Jon Callas
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt vedaal
- Re: secure sign & encrypt Derek Atkins
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Hal Finney
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Jon Callas
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt Peter Gutmann
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Matthew Byng-Maddick
- RE: secure sign & encrypt Dominikus Scherkl
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt Derek Atkins
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt David P. Kemp
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt Matthew Byng-Maddick
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Dominikus Scherkl
- RE: secure sign & encrypt Dominikus Scherkl
- Re: secure sign & encrypt disastry
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt disastry
- Re: secure sign & encrypt Derek Atkins
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Derek Atkins
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Derek Atkins
- Re: secure sign & encrypt Derek Atkins
- RE: secure sign & encrypt Terje Braaten
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Peter Gutmann
- Re: secure sign & encrypt Michael Young
- Re: secure sign & encrypt Paul Hoffman / IMC
- RE: secure sign & encrypt Terje Braaten
- Re: secure sign & encrypt Brian M. Carlson
- Re: secure sign & encrypt Jon Callas
- Re: secure sign & encrypt Adrian 'Dagurashibanipal' von Bidder
- RE: secure sign & encrypt john.dlugosz
- RE: secure sign & encrypt Terje Braaten