IETF Logo Mail Archive

Re: Bug#40394: forwarding an encrypted PGP message is useless

pgut001@cs.auckland.ac.nz (Peter Gutmann) Thu, 11 April 2002 06:32 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA20780 for <openpgp-archive@odin.ietf.org>; Thu, 11 Apr 2002 02:32:52 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g3B6Nko15707 for ietf-openpgp-bks; Wed, 10 Apr 2002 23:23:46 -0700 (PDT)
Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g3B6Ngm15681; Wed, 10 Apr 2002 23:23:43 -0700 (PDT)
Received: from ruru.cs.auckland.ac.nz (ruru-nfs.cs.auckland.ac.nz [130.216.35.12]) by hermes.cs.auckland.ac.nz (8.12.2/8.12.2) with ESMTP id g3B6NaXv017048; Thu, 11 Apr 2002 18:23:36 +1200
Received: (from pgut001@localhost) by ruru.cs.auckland.ac.nz (8.9.3/8.8.6/cs-slave) id SAA409290; Thu, 11 Apr 2002 18:23:34 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Date: Thu, 11 Apr 2002 18:23:34 +1200
Message-ID: <200204110623.SAA409290@ruru.cs.auckland.ac.nz>
From: pgut001@cs.auckland.ac.nz
To: ietf-822@imc.org, sroberts@uniserve.com
Subject: Re: Bug#40394: forwarding an encrypted PGP message is useless
Cc: ietf-openpgp@imc.org, john.dlugosz@kodak.com, kmail@kde.org, mutz@kde.org, shields@passport.ca
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

Sam Roberts <sroberts@uniserve.com> writes:

>S/MIME only uses the signed and enveloped types from CMS, but RFC2630
>specifies authenticated as well. Its not well described there, but it is a
>way of "signing" something using a key agreement algorithm, such that the
>signature can ONLY be verified by using the sender or the receiver's
>private key.

Hmm, are you sure you're not interpreting a bit too much into this
data type?  The intent is to allow MAC'ing of data, and to do that you
need to share a key with the other side, which is why you need a key
exchange to precede it.  One of those happens to be X9.42.  There are
two issues with this:

1. The only implementation which is known to support X9.42 in any
   useful manner is the SFL.
2. There don't seem to be any implementations which support
   authenticatedData, or at least that was the case when I asked on 
   the S/MIME list a while back for someone to do some interop testing 
   with.

(Oh, and the obvious third point: If you're doing a PKC operation for
 the key exchange anyway, you may as well just sign the thing directly.
 At best, you can claim that this gives you a signature capability
 using an encryption-only key).

I've always seen the only real use for this data type as password-
based integrity protection for data you're carrying around, using in
conjunction with passwordRecipientInfo.

>What this gives you is repudiation. If I authenticate something to
>you, you know I authenticated it. But if you forward it somebody
>else, they can't verify the signature, they have no way of knowing
>for sure that I authenticated it, and I can deny it. Even if the
>recipients private key is compromised, they still can't prove
>that *I* authenticated it, since either one of us can create the
>"signature", all they know is one of us made the authenticated data.

Well, only if you use some of the obscure X9.42 options which don't
identify sender and receiver.  The default is to list both, although
there are a pile of optional parameters and with only one known
implementation who knows what will happen in real life.

Peter.

v2.23.0 | Report a Bug | By Email