Dignature verification problem

Anton Stiglic astiglic@okiok.com
Fri Aug 9 11:27:05 2002


>----- Original Message -----
>From: "Janusz A.Urbanowicz" <alex@bofh.torun.pl>
>To: "David Livingstone" <david.livingstone@unn.ac.uk>
>Cc: <gnupg-users@gnupg.org>
>Sent: Tuesday, April 16, 2002 8:49 AM
>Subject: Re: Dignature verification problem


>David Livingstone wrote/napisał[a]/schrieb:
>> However if I use the --verify command just to verify the signature, it
fails
>> with the error message "verify signatures failed : unexpected data".  Why
is
>> this ?

>You can't verify signature without decrypting the message, the signature is
>within the encrypted part.

It is standard practice in cryptography engineering to sign before you
encrypt,
and not do the opposite (encrypt before you sign).  This "principal" should
be
followed especially if you want the property of non-repudiation.

The thing is that if Alice first encrypts the message under Bob's public
key,
Alice has no control over how Bob's public key was created, and Bob could
later on change his public key in a way that the ciphertext Alice signed
decrypts
to a different message, thus if Alice signs the ciphertext you cannot assume
that Alice has any knowledge of the data she actually signed.

See principal number 1 of Ross Anderson's paper "Robustness principles
for public key protocols"
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/robustness.pdf

--Anton