Re: WG Last Call: draft-ietf-openpgp-formats
Jon Callas <jon@pgp.com> Fri, 26 June 1998 01:06 UTC
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id SAA09135 for ietf-open-pgp-bks; Thu, 25 Jun 1998 18:06:42 -0700 (PDT)
Received: from fusebox.pgp.com (fusebox.pgp.com [161.69.1.11]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id SAA09131 for <ietf-open-pgp@imc.org>; Thu, 25 Jun 1998 18:06:37 -0700 (PDT)
Received: from fnord (dhcp47-104.dhcp.nai.com [161.69.47.104]) by fusebox.pgp.com (8.8.7/8.8.7) with SMTP id SAA18311; Thu, 25 Jun 1998 18:12:02 -0700 (PDT)
Message-Id: <3.0.3.32.19980625180937.00a84b30@mail.pgp.com>
X-Sender: jon@mail.pgp.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Thu, 25 Jun 1998 18:09:37 -0700
To: Adam Back <aba@dcs.ex.ac.uk>
From: Jon Callas <jon@pgp.com>
Subject: Re: WG Last Call: draft-ietf-openpgp-formats
Cc: ietf-open-pgp@imc.org
In-Reply-To: <199806252253.XAA02849@server.eternity.org>
References: <v04100d0bb1b86b914684@[129.46.121.243]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-open-pgp@imc.org
Precedence: bulk
At 11:53 PM 6/25/98 +0100, Adam Back wrote: - Gary Howlands attack which can undetectably garble unsigned encrypted messages ... has this was been fixed? If not perhaps we could either fix it (include optional? unsigned digest inside message) or have wording added to highlight that unsigned encrypted messages offer little protection against garbling. As I remember the consensus on this one, garbling is a problem on all messaging systems unless you have a signature or a MAC. Adding in a MAC or digest to an encrypted packet breaks backwards compatibility. I thought the consensus was that with 1.X we would look at adding some form of integrity check, perhaps with a new type of encrypted data packet. I'm willing to add a note in security considerations. How about something like: Please note that encrypting an object but not signing it leaves open the possibility that it might have been damaged (by accident or attack). If an implementation wants to ensure the integrity of a message, it must be signed as well as encrypted. - Is it defined that an implementation would keep processing packets until it gets to a terminal packet (terminal packets being literal packets, or the text of a clear signed message)? This is important as it allows super-encryption, and allows encrypted messages to contain clear signed messages (which William Geiger uses) plus it would be useful for experimental combinations people may use. It is my belief that that is defined. It's implicit that an implementation needs to keep unwrapping an object until it hits bottom, and that since a literal packet could contain a clearsigned message, a literal should be scanned for one. If you think a paragraph needs to be added, let us know. Jon ----- Jon Callas jon@pgp.com CTO, Total Network Security 3965 Freedom Circle Network Associates, Inc. Santa Clara, CA 95054 (408) 346-5860 Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS) 665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)
- preventing Gary Howland's attack Adam Back
- Re: WG Last Call: draft-ietf-openpgp-formats Jon Callas
- Re: WG Last Call: draft-ietf-openpgp-formats Ryan Anderson
- Re: Question and note Jon Callas
- Re: WG Last Call: draft-ietf-openpgp-formats Adam Back
- WG Last Call: draft-ietf-openpgp-formats John W. Noerenberg
- Question and note dontspam-tzeruch
- Additions to draft Jon Callas