Signature semantics

[David Shaw]

On Tue, Nov 04, 2008 at 01:18:23PM -0500, vedaal at hush.com wrote:
> David Shaw dshaw at jabberwocky.com
> wrote on Tue Nov 4 17:58:49 CET 2008 :
> 
> > It is not the place of GPG to modify the plaintext.
> 
> ok
> 
> >GPG should just provide necessary primitives to solve this, 
> >and it does:
> 
> >gpg --sig-notation 
> >"whatever at example.com=I encrypted this to Baker!" 
> >--sign --encrypt  blah.txt
> 
> >The notation will be hashed into the signature and cannot be 
> removed
> >without invalidating the signature.
> 
> ok,
> works nicely,
> but needs a user to be reminded to do it ;-)

Not really GPG's job.  Just like it isn't GPG's job to remind a user
to encrypt in the first place.  I'm all for making the tools that GPG
makes available more capable of handling this case, but an interactive
prompt isn't the way.

> when gnupg decrypts and verifies,
> if there is a delay of more than 1 minute between signing and 
> encrypting,
> then gnupg gives the following 'alert':
> 
> gpg: message is signed and encrypted
> gpg: signature made at time x, encryption made at time y
> gpg: duration between signing and encrypting: time z
> gpg: please verify with sender, also check time of e-mail sending

Also not really GPG's job, but it's not possible in any event.
OpenPGP does not timestamp encryptions.  There are only two timestamps
in an encrypted and signed message and they are the stamp of the
original file, and the stamp of the signature.  Decrypting and
re-encrypting doesn't change them.

> now, even if the attacker goes through the trouble of altering his 
> computer time-clock to the time of the signature and then encrypts,
> there will still be an unmistakable 'suspicious' delay in the e-
> mail sending 

Not at all.  The attacker controls his own clock, so it would just
look like a regular SMTP retransmit.  They happen hundreds of times a
day on any reasonably large mail server.

David