Fwd: crypto flaw in secure mail standards

David Shaw dshaw@jabberwocky.com
Mon Jun 25 18:09:01 2001 

--PuGuTyElPB9bOcsM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 25, 2001 at 11:21:07AM -0400, Anthony E. Greene wrote:

> On Mon, 25 Jun 2001, David Shaw wrote:

> >After reading the paper, I was thinking about a different way to

> >address the problem: encrypt the clear signature.

>=20

> But how would that stop Bob from misusing that sig later? Using the

> example of the cancelled deal, Bob could still decrypt the sig and the

> document (if necessary) and send the whole package to Charlie to lead

> Charlie to believe that Alice had canceled the Alice/Charlie deal.


I think I wasn't clear in my email.  The hypothetical encrypted sig
would of course contain the key id(s) of who it was signed to in the
signed material. :)

It is similar to Don Davis' suggestion to include a receipient list in
the signed material.  The main difference is that I'm suggesting
making it an option for clearsigned documents, and making it possible
to have the sign-to key be different than the encrypt-to key.

David

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--PuGuTyElPB9bOcsM
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBOzdhhoccwqs8s7QVAQFy7gf+OeE8gWpahZFDBiAWLT9CE1+zBLWl8P49
ZZLu3E8WqQMMxyc8cS6oayocA1WOwCyPOAj5IFeey82Ls5lhiVTDypBqO8W7dzQm
TblUA3nGPR+wa1jxj1byg7UZjHJ8vtiKfyU8EGcaYMsTxWX3v3dzyKf3NCBBTMGc
kbMB2DqsQVoycVcZG5h6yXEHn9uXgCLV3stXvl1e2In4xznuLqzXhSZCQuNnVjjW
lvqJ8WvWa0B/vRnUyOYmV441Z5jWi/eR03oy12cRqZrAaEJpR1KUH449lDxhfS8z
dlu5HpwAWKxpu+LnUZDjeupHZGxiKh/ZU6Hh0aEgVJrhraDtpqQtBA==
=AAFj
-----END PGP SIGNATURE-----

--PuGuTyElPB9bOcsM--