[149222] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Jon Callas)
Sat Jan 25 21:45:42 2014
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <52DEF4E0.2070904@dominikschuermann.de>
Date: Sat, 25 Jan 2014 15:43:34 -0800
To: =?iso-8859-1?Q?Dominik_Sch=FCrmann?= <dominik@dominikschuermann.de>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Jan 21, 2014, at 2:29 PM, Dominik Sch=FCrmann <dominik@dominikschuermann=
.de> wrote:
> * PGP Signed by an unknown key
> =
> Hey,
> =
> I am also very much interested in an answer to this question. Just read
> http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html .
> =
> Has there been progress from 2001 to today in OpenPGP's standard
> regarding this problem?
What do you mean by "progress"?
Lots of people in the security world wake up one day to a surprise and conv=
ince themselves that it's a bug.
Let's call this the same thing we used to -- which is the question of wheth=
er a signature should be inside "the envelope" (meaning the encrypted part)=
or outside the envelope.
As Derek pointed out, the strict syntax of OpenPGP permits either. However,=
most (all?) software puts the signature inside the envelope. It's likely a=
n option in GnuPG because they're good about implementing all legal syntact=
ic possibilities.
The major reason for a signature inside the envelope is that if the signatu=
re is on the outside, it cryptographically states to a passive observer tha=
t Alice is talking to Bob. It makes anonymous remailers and other things ha=
rder to do or impossible. The reasons for putting the signature in the enve=
lope is to reduce the threat of traffic analysis.
PEM put the signature outside the envelope and *only* permitted it outside =
the envelope. At the time, there were plenty of dark things said about this=
. Similarly to today and a number of protocols, PEM was looked at as tantam=
ount to insecure by design, and if there was a drawback in anything PEM did=
, many people considered it an unmitigated, intentional flaw.
There's no single answer here. Either side has plusses and minuses. I think=
that overall, you want the signature on the inside of the envelope and tha=
t has the drawback that you can send a decrypted signed plaintext message t=
o third parties. I view that as a relatively small drawback. There is a dif=
ference between a surveillance system and a betrayal. Security can't stop a=
betrayal.
But -- I do see the other side. I just disagree.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1
wj8DBQFS5E79sTedWZOD3gYRAgmwAKDhEjsfvYRIhIDaA+2vkFezMtzs6gCbBtMh
7Ed54LJdeHdMeiX1jiJtZFY=3D
=3Dg1xX
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
