Fwd: crypto flaw in secure mail standards

David Shaw dshaw@jabberwocky.com
Mon Jun 25 16:23:02 2001 

--bAmEntskrkuBymla
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jun 24, 2001 at 10:59:20PM -0500, Don Davis wrote:

> > The suggested fix to make the inner signature somehow tied to the

> > outer encryption layer would indeed fix the problem, but it does

> > create other interesting issues.  As things stand now, a signed

> > document does not have any notion of who it was signed for.  The

> > suggested fix would change that so a document would essentially be

> > signed "for" somebody.  Presumably implementations would keep the

> > ability to sign without tying it to a particular destination key for

> > those cases where signing a document for a particular receipent is not

> > appropriate.

>=20

> hi, mr. shaw --

>=20

> actually, my paper only recommends signing a recipient-list,

> when the message is to be encrypted, too.  as you point out,

> to force every signed message to include a recipient-list,

> would defeat the purpose of many signed messages.


After reading the paper, I was thinking about a different way to
address the problem: encrypt the clear signature.

For example, Alice writes "the deal is off" and signs it, so we have a
binding from Alice's key to the document.  Now, Alice encrypts *just
the signature* to Bob, creating a unencrypted and signed document that
anyone can read, but only Bob can verify.

Note how this addresses the problem - only Bob can verify the
signature, so the message cannot be forwarded to Charlie without
making the signature fail.  Alice can encrypt the whole message if she
desires or leave it clear - either way, the internal signed message is
bound to Bob alone.

I like this as it addresses the problem at hand while also allowing
for something new: the possibility of a unencrypted signed message,
with a signature that can only be verified by certain people.  There
are other interesting capabilities with this, such as sending a
document encrypted to Bob with an internal signed message to Charlie.
Bob could read it, but only Charlie could validate the signature.

Any thoughts?  I would certainly appreciate a sanity check.

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--bAmEntskrkuBymla
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBOzdIPIccwqs8s7QVAQG27Af/SKFEAolIChjmNb51MhDvBTwTvD4ekit2
Gc50pwU/flFZuZUBdC+oUOBHc6sBuuZE6N8HIfAauHzAcqcKio9LC2hSJGvcV+qj
8l6XJj5K0UpDF7UKp+HewRSUtKyIXNKmPKLfuzeJeQd1abuD8mBMmE3IeyGF+jZT
VnYFypw0UKlZFD88kQ8755sMJT02YvsQkPHaP+NpuDwrnOnYKMyWw6NZWIahnpDN
Dk1uWxCxrzQiHXCfGxTkvFYqbDwLqC/aOEPohju54eTXKTpU+ixpJs6p8bSY+7y4
CIStFCxxg4qAheua6Acj+Cq+spbTFSHpZ/RqNq1D9tDxio4qGUrhsg==
=vDax
-----END PGP SIGNATURE-----

--bAmEntskrkuBymla--