What is the benefit of signing an encrypted email

Wed Jan 12 01:47:44 CET 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 11-01-2011 17:09, Nicholas Cole escribió:
> On Tue, Jan 11, 2011 at 12:19 PM,  <dan at geer.org> wrote:
>>
>> If one is a purist, then one wants sign>encrypt>sign
>>
>> See http://world.std.com/~dtd/#sign_encrypt
> 
> That is a really interesting paper.  Did the OpenPGP protocol ever
> include a fix for the attack they describe?

  When I was 18 y/o, I went to the university, and we were used to sign
a sheet of paper to keep the assistance records. One day, a teacher took
a blank sheet of paper, wrote columns for name, RUT (the unique id
number), and signature. And we all signed it. Then the teacher said:
"well... why did you sign it? there is no title in this paper, it
doesn't say assistance record... now I can write anything I want, and
you already signed it! What if I write 'petition to fire the dean'?"

  Of course the teacher wrote the right title on the sheet, and no harm
was done.

  Why am I telling this here? Because, if Alice sends a signed message
to Bob, she must add "to Bob" at the beginning of the message. It might
be a flaw or not, but IMHO, cryptography can't replace common sense.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJNLPowAAoJEMV4f6PvczxAgUUH/3GH+hdqRJTgWFZdoKPQrtND
+Xw6TGU2z7A9OHdO/pWHocq635EX4JlKOraVrkbtIxdBIgINK6mcaVAAoITlWpzv
PQ05wCx3TGOt1EtFmJOMu0ZM69BcEjzuV5IEViBEGB4WZw16hzCy8ga+P8Mawhm7
MDgeh9aS+EYeF+P89P9Gy2PlovvsX3Be8+6d9+UqtieEcSOsZHRGA2jsg66TVtyD
KP//l1DBQjT7ix6PRwHFOjelMvIppmdN7wHsLu1K6XOKC2eKcu9ac5sE7YhniLp8
F8ISPhQo3hPB1oePESeH2zNWhfRCp5CHIM6pl3okQOHqsGV/m0tfWh/XNh6W1e8=
=y2zJ
-----END PGP SIGNATURE-----