GPG support in Mahogany

Janusz A. Urbanowiz alex@syjon.fantastyka.net
Wed Dec 11 11:01:20 2002 

On Tue, Dec 10, 2002 at 05:21:01PM +0100, Xavier Nodet wrote:
> On Sun, 8 Dec 2002 18:57:29 +0100 "Janusz A. Urbanowiz" <alex@syjon.fantastyka.net> wrote:
> 
> > On Tue, Dec 10, 2002 at 04:25:26PM +0100, Xavier Nodet wrote:
> >> My understanding is that encryption/signing layers can be artitrarily
> >> nested.
> 
> > negative
> 
> What if I use several successive commands. For example, I can do this:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Message
> 
> 
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32) - GPGshell v2.65
> 
> iD8DBQE99g6VFK6OUIeqvjQRAh56AJ994wxN8TLm57ebkvZNyKrlWpvK9ACfUSyJ
> cZsvv4FX/yq1ocDY5aDyiM8=
> =RG1C
> - -----END PGP SIGNATURE-----
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (MingW32) - GPGshell v2.65
> 
> iD8DBQE99g65FK6OUIeqvjQRAjiLAJ0bycg5LrC4vWD2JWoTmqKQQ0BtKgCdHHB7
> OpveXiaqQIfJI7+cv6VKvdc=
> =ygHe
> -----END PGP SIGNATURE-----
> 
> I have signed this message twice. I could have encrypted it between the
> two signature, no?

yes

but you can't do this to make a message that will be decrypted to the base
plaintext in one pass
 
> >> When a message is multiply signed as above, we should verify that the
> >> signatures have actually been done with the same key: the point in
> >> signing twice is to assert that the signer actually encrypted the
> >> document himself, thus proving that he wanted the recipient to get it
> 
> > this proves nothing at all
> 
> If I receive a signed-then-encrypted message, how can I be sure that the
> originator actually wanted me to receive this message. It may have been
> decrypted by the intended recipient, then re-encrypted using my public
> key.
> On the other hand, if the message is signed-encrypted-signed, the final
> recipient can be sure that the originator actually wanted to send this
> message to him: he signed the fact that he used the recipient's public
> key to encrypt the message. Of course, the originator is no more hidden,
> but this is not necessarily bad.

It is bad on the grounds of OpenPGP default threat model.

My question is: what do you want to prove (or prevent) with  the
sign-encrypt-sign model? What do you do with messages that look like you
aren't the designated recipient, or worse you are visibly not their
designated recipient. Throw away them for they are invalid?

> >> (while, if a message is only signed then encrypted, the recipient could
> >> decrypt it, then forward it re-encrypted to a third person without this
> >> third person noticing that he was not the intended recipient).
> 
> > there is no way/need to multiple encrypt
> 
> I'm speaking about the destinator decrypting first, then re-encrypting
> for a third person.

You want to detect it, prevent it, prove it or what?

Define your threat/trust model first. Analyse sikmilarites and
dissimilarities with PGP threat model. Compare with other analyses (your
approach looks a lot similar to one 'PGP vulnerability' that gets widly
announced every two years or so).

Alex