What is the benefit of signing an encrypted email

Faramir faramir.cl at gmail.com
Wed Jan 12 01:47:44 CET 2011

Hash: SHA256

El 11-01-2011 17:09, Nicholas Cole escribió:
> On Tue, Jan 11, 2011 at 12:19 PM,  <dan at geer.org> wrote:
>> If one is a purist, then one wants sign>encrypt>sign
>> See http://world.std.com/~dtd/#sign_encrypt
> That is a really interesting paper.  Did the OpenPGP protocol ever
> include a fix for the attack they describe?

  When I was 18 y/o, I went to the university, and we were used to sign
a sheet of paper to keep the assistance records. One day, a teacher took
a blank sheet of paper, wrote columns for name, RUT (the unique id
number), and signature. And we all signed it. Then the teacher said:
"well... why did you sign it? there is no title in this paper, it
doesn't say assistance record... now I can write anything I want, and
you already signed it! What if I write 'petition to fire the dean'?"

  Of course the teacher wrote the right title on the sheet, and no harm
was done.

  Why am I telling this here? Because, if Alice sends a signed message
to Bob, she must add "to Bob" at the beginning of the message. It might
be a flaw or not, but IMHO, cryptography can't replace common sense.

  Best Regards
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Gnupg-users mailing list