sign encrypted emails
Hauke Laging
mailinglisten at hauke-laging.de
Fri Jan 3 06:35:28 CET 2014
Hello,
this is not a GnuPG problem. GnuPG is capable of doing what I want. But I am
interested in your opinion.
I just noticed that you can easily be deluded about an email being encrypted:
That you receive an encrypted mail does not mean that it was sent encrypted.
An adversary may encrypt a non-encrypted message (which he has intercepted) in
order to create more trust in the message for the recipient: If you receive
critical information and are aware that it has not been encrypted then you may
react differently from the case where you are sure that is was encrypted.
Or similar: A message is encrypted to a low security key which has been
compromised (unnoticed by the recipient). The adversary decrypts the message
ans reencrypts it to a more secure key.
This can be detected by asking the sender (which noone would do every time) or
by signing the encrypted message (this may mean that you sign it twice: once
before and once after encryption).
I would like to ask mail client developers to add this feature. But before I
would like to hear opinions whether that makes sense.
>From the RfC perspective (PGP/MIME) this should not be a problem; you just
need another level of nesting. Maybe the mail clients are not even prepared
for reading such messages. That would not surprise me but would not be an
argument against one client implementing this as the first one. I am
interested in general arguments for and against this.
I have tried to create a test file. Unfortunately I am not sure whether I have
done that correctly. I am familiar with checking MIME signatures with gpg
directly but creating a message is a different story:
http://www.crypto-fuer-alle.de/docs/sign-encrypt-sign/demo.mbox
KMail ignores the outer signature layer in its main window but shows the
structure correctly in the lower part of the window. That could mean that my
file is correct but KMail not prepared to display it correctly.
Enigmail tells me that might be a signed message but doesn't show anything.
If I encrypt some text manually and paste it as body content in a PGP/MIME
mail which gets signed and encrypted then KMail shows all three layers in its
main window. This could indicate that KMail is capable of handling three
layers but that my test file is incorrect.
Hauke
--
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140103/e8fa2ca2/attachment.sig>
More information about the Gnupg-users
mailing list