-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/02/2014 09:35 PM, Hauke Laging wrote: | I just noticed that you can easily be deluded about an email being | encrypted: That you receive an encrypted mail does not mean that it | was sent encrypted. An adversary may encrypt a non-encrypted message | (which he has intercepted) in order to create more trust in the | message for the recipient: If you receive critical information and | are aware that it has not been encrypted then you may react | differently from the case where you are sure that is was encrypted.
This threat model doesn't make a lot of sense, except for very naive users who cannot distinguish the importance of a message that is encrypted vs. a message (encrypted or not) which is signed. If the user is not sophisticated enough to place the proper importance on a signature for the message itself; they are rather unlikely to care about signatures inside and outside the encryption. | Or similar: A message is encrypted to a low security key which has | been compromised (unnoticed by the recipient). The adversary decrypts | the message ans reencrypts it to a more secure key. This threat model makes no sense at all. It is the recipient's key that the message is encrypted TO. And again, the recipient should be verifying the signature on the message itself, and placing the proper importance on that. Have I missed some otherwise hidden value to your proposal? Doug -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBCAAGBQJSxnXvAAoJEFzGhvEaGryEfGwH+gLr5xm6sV1l067eiyo1p2JI 2e8YYhr8DZL4+cju29nMnlf657rmHmDgqzAQhQMK1TadnVAEi/xubjximK76NHpS 5RWkW6arDvq9pYMHHHDMihpvgJdwPYDg5XJ3ZoCmjYHAjOHY+2fqW1QxxxcmloHT shSTtV/N2ZwGRTg3sKyQ6K6Bp8be45la7iiUXy/qwZTa86a3/A9t3FoxYxpqlq31 jLmofWYw0O+MxnNHWO6YuDOpjqDvdIkcwbQ/0P+48uYxCrzBj/vwj1dR5q4pclJD UtC3TNrQdEgOLmQZAYvOAN+z5brKXVIBBA1ckxf5TGP0kDNo0AOV+OyH9Ljo0Nw= =wBkw -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
