Re: Recipient-verifiable messages, was: forwarding an encrypted P GP message is useless

Derek Atkins <derek@ihtfp.com> Thu, 30 May 2002 14:43 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA07334 for <openpgp-archive@odin.ietf.org>; Thu, 30 May 2002 10:43:30 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g4UEUCP03457 for ietf-openpgp-bks; Thu, 30 May 2002 07:30:12 -0700 (PDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4UEUB103453 for <ietf-openpgp@imc.org>; Thu, 30 May 2002 07:30:11 -0700 (PDT)
Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id KAA24301; Thu, 30 May 2002 10:30:11 -0400 (EDT)
Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA01003; Thu, 30 May 2002 10:30:10 -0400 (EDT)
Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id KAA10392; Thu, 30 May 2002 10:30:09 -0400 (EDT)
Received: (from warlord@localhost) by kikki.mit.edu (8.9.3) id KAA28652; Thu, 30 May 2002 10:30:09 -0400 (EDT)
To: Terje Braaten <Terje.Braaten@concept.fr>
Cc: ietf-openpgp@imc.org
From: Derek Atkins <derek@ihtfp.com>
Subject: Re: Recipient-verifiable messages, was: forwarding an encrypted P GP message is useless
References: <1F4F2D8ADFFCD411819300B0D0AA862E29ABFD@csexch.Conceptfr.net>
Date: 30 May 2002 10:30:09 -0400
In-Reply-To: <1F4F2D8ADFFCD411819300B0D0AA862E29ABFD@csexch.Conceptfr.net>
Message-ID: <sjmadqhwvwu.fsf@kikki.mit.edu>
Lines: 39
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Terje Braaten <Terje.Braaten@concept.fr> writes:

> > >> 	Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)
> > >>
> > >> with the additional restriction that the encryption mode 
> > should be one
> > >> of the MDC modes (ie appended MAC with K outside encryption, or
> > >> appended hash of msg inside encryption).
> 
> What a wonderful solution. Hello everybody, we go ahead and change
> the next version of the protocol to this. Ok?

No.  It is definitely not ok.  This breaks backwards compatibiltiy
with implementations of 2440.

No matter what you do it should be backwards compatible with existing
software.  Current implementations should still be able to read it,
even if they don't understand it.

My two suggestions still remain:

  1) Write up an RFC that defines how to use a notation packet to do
     what you want, where that notation packet is included in the
     signature.  Within that notation you can store the original
     recipients list.

  2) Write up an RFC that defines how to use 2440 packets in ESE mode.
     I'm fairly sure that most of the existing 2440 implementation can
     read an ESE message (at least if they implemented their parser
     recursively like I did in PGP 5).

Either of these solutions solve your problem _AND_ remain
2440-compatible.

-derek
-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com