sign encrypted emails

Hauke Laging mailinglisten at hauke-laging.de
Fri Jan 3 09:59:26 CET 2014


Am Fr 03.01.2014, 00:33:51 schrieb Doug Barton:
> On 01/02/2014 09:35 PM, Hauke Laging wrote:
> | I just noticed that you can easily be deluded about an email being
> | encrypted: That you receive an encrypted mail does not mean that it
> | was sent encrypted. An adversary may encrypt a non-encrypted message
> | (which he has intercepted) in order to create more trust in the
> | message for the recipient: If you receive critical information and
> | are aware that it has not been encrypted then you may react
> | differently from the case where you are sure that is was encrypted.
> 
> This threat model doesn't make a lot of sense, except for very naive
> users who cannot distinguish the importance of a message that is
> encrypted vs. a message (encrypted or not) which is signed.

I am quite sure you have misunderstood something. Sorry if I didn't make 
myself clear.

Do you agree that it is (or, depending on the content, can be) an important 
information whether a message was encrypted by the sender (and for which key)? 
How can it make little sense to provide this information?

Whether it is more important to encrypt a message or to sign it differs a lot 
with the content. Thus I do not understand your explanation of importance.

This is similar to SSL/TLS without client negotiation: The client knows (or: 
can know) whether it is encrypting for the right server. But the server cannot 
know whether the legitimate client has started the connection or an MitM 
attacker. If the server demands certainty about that then it has to require 
the use of client certificates.

But currently there is (AFAIK) no such thing as an analog for the client 
certificate in the OpenPGP world. The certificate itself is already there, of 
course, but it is not yet used in a way providing security for the recipient 
about the confidentiality of the message.


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20140103/809c7378/attachment.sig>


More information about the Gnupg-users mailing list