small security glitches

[Post Carter]

Thanks for replying again.  Yes, I read Schneier's paper, which is why I am 
confident that even the original attack scenario on a vulnerable implementation
would not apply to the use case I was originally concerned about after seeing 
mention of a "security glitch," namely encrypted local file storage.
After your message, it would seem to me we are in agreement on the state of
the problem.  However, regarding the disputed post below, we seem to be talking
past each other somehow.
The original post and response I was referring to are here:
http://lists.gnupg.org/pipermail/gnupg-users/2011-November/043213.html
The respondent says: "Without signing the message, and only encrypting it to
your public key, you have no way to verify who really sent you the message."
This is true of course, but it is not the security vulnerability ("glitch") referred to
in the FAQ and that the original poster was inquiring about.  Choosing not to
use available functionality cannot be used as a basis to find a fault with that
functionality.  (If I don't brush my teeth, it can hardly be called the fault of
Crest that I get cavities.)
The originally mentioned "glitch," which we agree prompted changes in the
the OpenPGP spec to create the MDC, was not a vulnerability related to
authentication.  Indeed, it is nonsensical to say that authentication could be
compromised on an unsigned message since no authentication is even
proffered or purported to exist in that case! 
Instead, the "glitch" allowed a potential (and also feasible, per Schneier,
since in practice not all crypto users are so well-versed as to be as
"responsible" as might be hoped) mechanism for an attacker to *modify the
ciphertext message* and *manipulate the recipient* in such a way that *some
or all of the encrypted message can be decrypted* *by the attacker.* 
To me that is clearly an encryption vulnerability and not an authentication
vulnerability.  No?
Ciao,
Carter


>> Anyway, my motivation for posting is that there was a question on this in
>> November 2011 and people responded that the reason you had to sign was
>> to authenticate the message sender.  Although that is also true, it is not the
>> point of the warning.  This attack and the "glitch" mentioned in the FAQ are
>> specifically an attack against the ENCRYPTION that results in potential full
>> compromise of the message secrecy.  The defect in the specification, per
>> Schneier, was the lack of any message integrity check when the message is
>> not cryptographically signed, allowing even the most rudimentary tampering
>> to be undetected.
>
> I believe the original responses you're referring to were correct.  I
> don't think that the paper you cite above suggests otherwise.
>
> Regards,
>
>    --dkg