sign encrypted emails

Sun Jan 5 03:10:48 CET 2014

On Sat, Jan 04, 2014 at 10:28:26PM +0100, Johannes Zarl wrote:
> On Saturday 04 January 2014 16:09:51 Leo Gaspard wrote:
> > On Fri, Jan 03, 2014 at 07:31:29PM -0500, Daniel Kahn Gillmor wrote:
> > > In your example, the fact that a message was encrypted makes the
> > > recipient treat it as though the sender had indicated something specific
> > > about the message because it was encrypted.  This is bad policy, since
> > > there is no indication that the sender encrypted the message themselves,
> > > or even knew that the message was encrypted.
> > 
> > Which is exactly the reason for which Hauke proposed to sign the encrypted
> > message in addition to signing the cleartext message, is it not?
> 
> Wouldn't one have to encrypt the signed-encrypted-signed message again to 
> prevent an attacker from stripping away the outer signature? What would the 
> recipient then do with the simple signed-encrypted message?

Well, the idea would be that the receiving program would check there *is* an
additional signature, and refuse it if not.

Nevertheless, adding a second layer of encryption would help, both in avoiding
this threat with less requirements on the receiving program, and in avoiding the
metadata-analysis and irrevocability threat. Less requirements, as the receiving
program merely has to run decrypt-and-check twice, not having to check it
actually has two levels of signature, as any absence of the second level would
be detected by a failed second check. Avoiding metadata analysis, as encrypting
the second signature forbids an attacker to grab a message and have an
undeniable proof that Alice sent an encrypted message to Bob, even without Bob's
help.

> > Sure, there might be other ways: add a message stating to which key the
> > message is encrypted, etc. But this one has the advantage of requiring
> > AFAICT no alteration to the standard, and of being easily automated, for
> > humans are quite poor at remembering to always state to which key they
> > encrypt.
> > 
> > Anyway, wouldn't you react differently depending on whether a message was
> > encrypted to your offline key or unencrypted?
> 
> One should certainly not act differently depending on the encryption of a 
> message. Maybe with the one exception of timeliness: If a message is 
> encrypted, you'll probably be ok with me reading the mail when I'm at my home 
> computer. If a message is encrypted to my offline key, you'll be prepared to 
> wait for a month or so (many people have their offline-key in a safe deposit 
> box).
> 
> Of course this opens way to subtle timing attacks (delaying reading a message 
> until it is no longer relevant), but these subtle attacks can be done using 
> simpler means (holding the message in transit).

Well... I, personally, would attach more importance (no more validity, just
importance, like in "listen to me very well" or whatever english people say to
others to get them to listen carefully) to a message signed to an offline main
key that might wait for a month than to a message sent in cleartext. For I would
assume the sender designed his message to be important enough to make me move to
my safe deposit box so as to read it.

Of course, without encryption-checking, this assumption is wrong, and this is
emphasized in one of my previous messages on this thread, with the "We got to
talk tomorrow" taking importance for the receiver that is unexpected to the
sender, thus leading to a security flaw.