Where I have a difference is in the I love you example. Clearly you
could send the unsealed data (plaintext, whatever) to someone else
and end up in trouble, but the reasonable thing to do would be to
send the document sealed by the original sender, as you received it,
same as when you forward an e-mail the headers are on top indicating
it does not come from you, so the example is, I think, a bit
contrived and inapplicable.
To turn the "I love you" example into an attack, consider this: Alice
sends Bob a message saying "Remember, you need to deliver the product
at midnight." Bob, who doesn't want responsibility for delivering the
product, cuts-and-pastes Alice's message and sends it on to Charlie,
forging it as being from Alice. Charlie receives a message that seems
to be from Alice, has a meaningful message, and has a valid signature
from a trusted key. Charlie delivers the product at midnight. The
next day Alice sees the product was delivered, and sends Bob a message
saying "thank you for delivering the product, the check is in the mail."
Presto, Bob gets paid for Charlie's work.
Yes, attacks like these have been spotted in the wild. Schneier's
blog covered one of them recently, an outfit that used attacks like
these in connection with long distance trucking companies.
Fascinating work, really.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
