Re: isolating the signature from encrypted data (was: sign encrypted emails)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 6 January 2014 at 2:24:10 AM, in mid:7677715.1slnlpw...@inno.berlin.laging.de, Hauke Laging wrote: That is correct. I am not aware of a possibility to get the data and the signature from GnuPG. But that doesn't mean it's not possible. I think the thread you linked to [1] says it is possible using GnuPG's --show-session-key and --override-session-key options. And at the end of the thread, Werner says PGP/MIME signs and encrypts using separate MIME containers, which makes it easy to strip off the encryption layer. [1] http://lists.gnupg.org/pipermail/gnupg-users/2004-April/022352.html Use both ways (one step, two steps) to sign and encrypt a file and have a look at the result with gpg --list-packets. I did. Gpg --list-packets output starts the same. But to get all of the info on the two-step signed then encrypted, I have to run gpg - --list-packets again on the signed but not encrypted file to get the info about the signature. I also tried pgpdump, which gives the same information for the one step and the two step files. It appears to be a different (and smaller) set of information than gpg --list-packets generates. - -- Best regards MFPAmailto:expires2...@ymail.com Live your life as though every day it was your last. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlLMgwBXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pdTEEAIb9+tybdukWQQ5H68PnHeZulGIfsceOqSiH qssiSBuEKlthqEA+MsiksuweZ3E+uo0n7N4IGtQGV8YMJsv7JhmuvquxF8kg8fhz DwaaTZ/HrPT0Owf/0VszEM6+jgC5A+GseW3agdRXHmZjoQNVyixoT9s+0rhlYOUs GVhZMMd/ =s8a/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 06/01/14 01:51, Hauke Laging wrote: Let me guess: Modifying the mail client so that it automatically removes the word not would be illegitimate because for some strange reason that would be solving social problems by technical means... I guess it boils down to the point that I just don't see a use case. I believe there are two scenario's you're treating: - You wish to give significance to a mail being encrypted; this, for you, changes the context of the contents. I disagree; I'd rather see it context-free and unambiguous[1]. - You wish to catch noobs in the act when they forget to encrypt. I think secure communications with noobs is impossible, so it doesn't help to plug a single hole in the sieve[2]. The result is that I see no application for what you describe. At to that the fact I find it a rather ugly kludge to sign a single message twice instead of keeping all authenticated data inside the one signature, and you've lost me. So I guess this discussion is indeed pretty much done. HTH, Peter. [1] Hmmm, maybe we should define a formal e-mail language ;) [2] I'm using noobs rather broadly here, since I think it takes a lot of attention and rigour to secure communications. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/01/14 04:38, Hauke Laging wrote: You are aware that is doesn't make any sense to make this claim without any argument after the opposite has been claimed with an argument (a very strong one)? Eh? You yourself start this whole discussion by making the point that it is, as things are now, unreliable to act differently depending on whether encryption is applied to the message or not. That is precisely the whole strong argument why people say: you just shouldn't act differently depending on whether encryption is applied to the message or not. I really do not understand one bit why you now say this is a claim without any argument, I'm quite surprised. Unless you read without any argument as this is a thing we agree on, but that requires bending the sentence beyond breaking point ;). I agree with Robert, you're trying to solve a social problem with a technical solution. HTH, Peter. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am So 05.01.2014, 10:35:44 schrieb Peter Lebbing: On 05/01/14 04:38, Hauke Laging wrote: You are aware that is doesn't make any sense to make this claim without any argument after the opposite has been claimed with an argument (a very strong one)? Eh? You yourself start this whole discussion by making the point that it is, as things are now, unreliable to act differently depending on whether encryption is applied to the message or not. There are two different meanings of whether encryption is applied which we must tell apart here: 1) The message arrives encrypted. 2) You know that the message has been sent encrypted. (1) follows from (2) but not the other way round. What I say is: a) It makes sense to act differently depending on (2). b) It does not make much sense to act differently depending on (1). Do you agree on (a) and (b)? Today you hardly ever have (2). That's what I want to change. I really do not understand one bit why you now say this is a claim without any argument, I'm quite surprised. I replied to: One should certainly not act differently depending on the encryption of a message. Maybe there is a misunderstanding (maybe even between the one I replied to and the one he replied to). In an earlier mail I have explained (a). It seemed to me that he said (a) was wrong without giving any reason for that claim. Maybe he meant (b) but that would not have anything to do with the discussion I started as (b) is the reason for me starting it. I agree with Robert, you're trying to solve a social problem with a technical solution. In my understanding this term refers to problems which are better solved socially than technically. But that simply isn't the case here. Why should I write I will encrypt this message to 0x12345678 in every mail which is boring, easily forgotten and error-prone if the problem can *easily* be solved technically with much better results? Why should people prefer to have to change their behaviour (social solution) over not having to change their behaviour if the second option delivers better results with less effort? There has been an argument of the kind: There is another solution to the problem than yours. OK. But that's not the point. The point is: Which is better? This is about technical guarantees. How can a social approach ever be better than a technical one in that area? GnuPG doesn't teach people to create huge keys it prevents it technically. Solving a social problem with a technical solution? And if so: Is that a problem? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/01/14 11:15, Hauke Laging wrote: Why should I write I will encrypt this message to 0x12345678 in every mail which is boring, easily forgotten and error-prone if the problem can *easily* be solved technically with much better results? Don't write I will encrypt this message[1] in every mail hoping that the recipient deduces that you want to do secret stuff, and leaving them to deduce from the absence of that message that you want to do the regular stuff. Hoping that other people will infer meaning from things that are totally not apparent, /that/ is error-prone. If someone writes me a signed statement see me tomorrow, I will show up. I will not come carrying my highly volatile nuclear concoction just because the message is encrypted. You should feel confident a signed statement is coming from the person who signed it. You can't deduce very much at all from the message arriving encrypted, I think. When the message arrives /unencrypted/ and contains confidential stuff, you could show up with a clue-bat and say Dude, not cool, not cool, because it was obviously (within reason) sent unencrypted. But it being encrypted means nothing. The social solution is not include some statement each and every time but don't deduce anything from it being encrypted. It's not a burden, it's a change of expectation. If you want to convey something to someone, just say so. Don't say see me tomorrow, but say I want to discuss X tomorrow with you, be sure to bring Y. HTH, Peter. [1] By the way, your statement might not even be true; how often have you written See the attachment and then forgetting to attach the file? I have done it countless times. - -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
I agree with Robert, you're trying to solve a social problem with a technical solution. More to the point, he's solving the wrong problem and conflating policy with mechanism. GnuPG does not provide policy. Policy is the responsibility of the people using GnuPG. All GnuPG provides is mechanism. Your problem can be solved trivially by establishing a policy of, Encrypted messages must contain a notification within the signed message body of who the message is encrypted for. For many users this sort of policy is a good idea. For the majority of users it's overkill. Why do you want a policy decision to be permanently enshrined in GnuPG's mechanism? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Don't write I will encrypt this message[1] in every mail hoping that the recipient deduces that you want to do secret stuff, and leaving them to deduce from the absence of that message that you want to do the regular stuff. Hoping that other people will infer meaning from things that are totally not apparent, /that/ is error-prone. There also seems to be something else at work here: an allergy to rigor. GnuPG is most often used in a slipshod, half-thought-through manner. People don't articulate a security model, much less establish a plan to mitigate those threats, much less negotiate a policy with their correspondents to mitigate threats held in common. Sometime watch the movie _Crimson Tide_. It's a good action film and the central premise revolves around a message that violates policy. A nuclear ballistic missile submarine is given a legitimate order to launch missiles at a Russian city. While preparing to launch, the submarine receives a second message telling them to abort the launch -- but due to forces beyond their control that message is received only as a fragment. The captain refers to the policy: Any message that does not fully conform to the policy must be completely disregarded. The captain insists on launching, since the last policy-conformant message was a launch order. The executive officer insists, We received an abort signal; at the very least we need to delay the launch until we can confirm it. The executive officer insists on deviating from policy. I cannot think of the last time I saw a Hollywood blockbuster that was built around what is, at its heart, a very technical question about how high-security communications operate. It's worth viewing. The short version is -- if you don't have a policy established, you're not going to be using GnuPG to provide its fullest amount of communications security. That policy also needs to tell people how to handle messages that don't conform to policy. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am So 05.01.2014, 10:15:51 schrieb Robert J. Hansen: Your problem can be solved trivially by establishing a policy of, Encrypted messages must contain a notification within the signed message body of who the message is encrypted for. That is neither trivial nor reliable nor the best approach to deliver this information. For many users this sort of policy is a good idea. For the majority of users it's overkill. Like verifying fingerprints? 8-) Why do you want a policy decision to be permanently enshrined in GnuPG's mechanism? As I said in my first mail in this thread this isn't about changing GnuPG at all because a) this problem is one level above GnuPG b) GnuPG already has all the capabilities necessary to do this. As I also said the reason why I have asked this here is the availability of people who can make useful comments on that (and are probably interested in such general discussions). Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
That is neither trivial nor reliable nor the best approach to deliver this information. It is a trivial fix; whether it is reliable depends on how committed participants are towards enforcing policy. As I said in my first mail in this thread this isn't about changing GnuPG at all because Then why are we talking about this? As I also said the reason why I have asked this here is the availability of people who can make useful comments on that (and are probably interested in such general discussions). You are receiving useful comments. You are choosing to disregard them. :) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Sunday 05 January 2014 14:04:49 Peter Lebbing wrote: [1] By the way, your statement might not even be true; how often have you written See the attachment and then forgetting to attach the file? I have done it countless times. I bet Hauke never forgot to attach the file because he is using KMail which warns him about this. Recent Thunderbirds also shows such a warning. (I suppose this also counts as technical solution for a social problem. ;-) If one always attached the file the second one wrote See the attachment, then one'd never forget to attach it and the technical solution wouldn't be necessary.) Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Sat, Jan 04, 2014 at 10:28:26PM +0100, Johannes Zarl wrote: On Saturday 04 January 2014 16:09:51 Leo Gaspard wrote: On Fri, Jan 03, 2014 at 07:31:29PM -0500, Daniel Kahn Gillmor wrote: In your example, the fact that a message was encrypted makes the recipient treat it as though the sender had indicated something specific about the message because it was encrypted. This is bad policy, since there is no indication that the sender encrypted the message themselves, or even knew that the message was encrypted. Which is exactly the reason for which Hauke proposed to sign the encrypted message in addition to signing the cleartext message, is it not? Wouldn't one have to encrypt the signed-encrypted-signed message again to prevent an attacker from stripping away the outer signature? What would the recipient then do with the simple signed-encrypted message? Well, the idea would be that the receiving program would check there *is* an additional signature, and refuse it if not. Nevertheless, adding a second layer of encryption would help, both in avoiding this threat with less requirements on the receiving program, and in avoiding the metadata-analysis and irrevocability threat. Less requirements, as the receiving program merely has to run decrypt-and-check twice, not having to check it actually has two levels of signature, as any absence of the second level would be detected by a failed second check. Avoiding metadata analysis, as encrypting the second signature forbids an attacker to grab a message and have an undeniable proof that Alice sent an encrypted message to Bob, even without Bob's help. Sure, there might be other ways: add a message stating to which key the message is encrypted, etc. But this one has the advantage of requiring AFAICT no alteration to the standard, and of being easily automated, for humans are quite poor at remembering to always state to which key they encrypt. Anyway, wouldn't you react differently depending on whether a message was encrypted to your offline key or unencrypted? One should certainly not act differently depending on the encryption of a message. Maybe with the one exception of timeliness: If a message is encrypted, you'll probably be ok with me reading the mail when I'm at my home computer. If a message is encrypted to my offline key, you'll be prepared to wait for a month or so (many people have their offline-key in a safe deposit box). Of course this opens way to subtle timing attacks (delaying reading a message until it is no longer relevant), but these subtle attacks can be done using simpler means (holding the message in transit). Well... I, personally, would attach more importance (no more validity, just importance, like in listen to me very well or whatever english people say to others to get them to listen carefully) to a message signed to an offline main key that might wait for a month than to a message sent in cleartext. For I would assume the sender designed his message to be important enough to make me move to my safe deposit box so as to read it. Of course, without encryption-checking, this assumption is wrong, and this is emphasized in one of my previous messages on this thread, with the We got to talk tomorrow taking importance for the receiver that is unexpected to the sender, thus leading to a security flaw. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Sunday 05 January 2014 03:10:48 Leo Gaspard wrote: Well... I, personally, would attach more importance (no more validity, just importance, like in listen to me very well or whatever english people say to others to get them to listen carefully) to a message signed to an offline main key that might wait for a month than to a message sent in cleartext. For I would assume the sender designed his message to be important enough to make me move to my safe deposit box so as to read it. In my feeling this is a rather subjective (to the sender) thing: some people encrypt *every* message no matter how trivial. Other people only encrypt those messages that match some rather specific criteria. Both kinds of people have good reasons for their behaviour. That's the reason why I don't attach an intrinsic importance or anything else to the fact that a message is encrypted. I can see your reasoning behind that message feels more important, and I'm quite sure that many people feel that way. It's just that it went away for me some time after receiving the n'th encrypted grocery list. Of course, without encryption-checking, this assumption is wrong, and this is emphasized in one of my previous messages on this thread, with the We got to talk tomorrow taking importance for the receiver that is unexpected to the sender, thus leading to a security flaw. Yeah. That's definitely what I meant when I said that one should not act differently. Though if you want a really fancy policy you could require non-encrypted messages to be discarded and use the signed-but-not-encrypted communications for counter-intelligence. *g* (Yes, I know the flaw here is not-so-subtle...) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/05/2014 08:07 AM, Hauke Laging wrote: | Am So 05.01.2014, 10:15:51 schrieb Robert J. Hansen: | | Your problem can be solved trivially by establishing a policy of, | Encrypted messages must contain a notification within the signed | message body of who the message is encrypted for. | | That is neither trivial nor reliable nor the best approach to deliver | this information. It can be both trivial and reliable, simply place the following in your .signature file: I will not encrypt this message before sending. On those occasions when you do encrypt, remove the word not. Now your (reasonable) objection is likely to be, But what if the sender forgets to remove the word 'not'? Well in that case we're right back to where we started, you cannot solve problems of bad operational practices with technology. No matter how fool-proof you make the tech, the universe will come along with a better fool. Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBCAAGBQJSyfunAAoJEFzGhvEaGryEQR4H+gK3ZfMpugnnHMtiRclDsWID isMMuTzal57Zze7R0QbJE6hc7AEXdefr8hMDLUbbKgNO6SUspd8Yu8LAjxBSJla+ HW1xAh49M3yBLYgyJtfZhJAE39Ttsmpcdg2A2X7Z1xBiPsZXH7fbJqXEpOhjM0z1 BuBLZUZ7/Ama6DzcRavEoa/jLymCeaCRGSp765Z70qWrF4ZnsfAdRGXPTyQAsgeH OKRAzje5fUbLk5W4sbgiuJVJ9D7ORuvB3mUlimA1oqV6F3G+giTHR4eyzhzGiqsM YpslkIzy06X8fFpiB00qigw9wjdrtQUqk8xG6iC6D7CIjXspmEnyvriIfUGS8xA= =LjnW -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am So 05.01.2014, 16:41:11 schrieb Doug Barton: It can be both trivial and reliable, simply place the following in your .signature file: I will not encrypt this message before sending. On those occasions when you do encrypt, remove the word not. Let me guess: Modifying the mail client so that it automatically removes the word not would be illegitimate because for some strange reason that would be solving social problems by technical means... -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Let me guess: Modifying the mail client so that it automatically removes the word not would be illegitimate because for some strange reason that would be solving social problems by technical means... Hauke, at this point you've advocated your idea -- strongly -- and you've received a general response that is not favorable. Now, no one is saying you need to give up on this idea: but if you want to pursue this idea, you're going to need to implement it yourself. The best way to prove us wrong is to write a patch that will implement your idea. Reality is the ultimate test of all new ideas; make it real, put it out there, and let the marketplace of ideas choose. But for now, I don't think you're persuading anyone into implementing this for you. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 3 January 2014 at 10:28:28 AM, in mid:2002014.1ckrbwp...@inno.berlin.laging.de, Hauke Laging wrote: MFPA: Again, this would be flagged up if the sender was in the habit of signing outgoing messages (as you stated). No, it wouldn't. The reason is that the signature is created the same way in the two cases encrypted and non-encrypted. Thus you can apply encryption later with the recipient having no chance at all to determine who encrypted. Most signed and encrypted messages created with PGP or GnuPG have the two processes applied together - you do not normally decrypt a message and then see a signed message as the output. An exception is signed and encrypted messages created in the Hushmail web interface. - -- Best regards MFPAmailto:expires2...@ymail.com Confusion is always the most honest response -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlLKC0pXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5p50IEAKcL07PhoNvgH52ulIc+5ZPbo3dm1MH1a8aK nrecrH7gdIkNgriytz7bgOyK5TWmmar2c0LdDqWN5qw+iq/BdcUpokwd2fZC3ckQ z9cJe4BWBwKaTXYMSc1DTeoHage0Awuuv8E3P6cpFm0C6hiyQATbZw3kH0U4XfXj mxykuAU+ =F7H3 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: isolating the signature from encrypted data (was: sign encrypted emails)
Am Mo 06.01.2014, 01:47:39 schrieb MFPA: Most signed and encrypted messages created with PGP or GnuPG have the two processes applied together - you do not normally decrypt a message and then see a signed message as the output. That is correct. I am not aware of a possibility to get the data and the signature from GnuPG. But that doesn't mean it's not possible. AFAIK there is no difference in the signature in both cases. So it should be easy to patch GnuPG in order to get this data (if there isn't another OpenPGP implementation which offers this action). Use both ways (one step, two steps) to sign and encrypt a file and have a look at the result with gpg --list-packets. http://lists.gnupg.org/pipermail/gnupg-users/2004-April/022352.html Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Fri, Jan 03, 2014 at 07:31:29PM -0500, Daniel Kahn Gillmor wrote: On 01/03/2014 06:56 PM, Leo Gaspard wrote: On Fri, Jan 03, 2014 at 12:50:47PM -0500, Daniel Kahn Gillmor wrote: On 01/03/2014 08:12 AM, Leo Gaspard wrote: So changing the encryption could break an opsec. If someone's opsec is based on the question of whether a message was encrypted or not, then they've probably got their cart before their horse too. opsec requirements should indicate whether you encrypt, not the other way around. Well... So, where is the flow in my example? This example was designed so that, depending on the level of encryption (and so the importance of the safety of the message according to the sender), the message had different meanings. As you've noticed, the sender cannot verifiably communicate their intent by their choice of encryption key. If the sender wants to communicate their intent in a way that the recipient can verify it, they'll need to sign something. In your example, the fact that a message was encrypted makes the recipient treat it as though the sender had indicated something specific about the message because it was encrypted. This is bad policy, since there is no indication that the sender encrypted the message themselves, or even knew that the message was encrypted. Which is exactly the reason for which Hauke proposed to sign the encrypted message in addition to signing the cleartext message, is it not? Sure, there might be other ways: add a message stating to which key the message is encrypted, etc. But this one has the advantage of requiring AFAICT no alteration to the standard, and of being easily automated, for humans are quite poor at remembering to always state to which key they encrypt. Anyway, wouldn't you react differently depending on whether a message was encrypted to your offline key or unencrypted? Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Saturday 04 January 2014 16:09:51 Leo Gaspard wrote: On Fri, Jan 03, 2014 at 07:31:29PM -0500, Daniel Kahn Gillmor wrote: In your example, the fact that a message was encrypted makes the recipient treat it as though the sender had indicated something specific about the message because it was encrypted. This is bad policy, since there is no indication that the sender encrypted the message themselves, or even knew that the message was encrypted. Which is exactly the reason for which Hauke proposed to sign the encrypted message in addition to signing the cleartext message, is it not? Wouldn't one have to encrypt the signed-encrypted-signed message again to prevent an attacker from stripping away the outer signature? What would the recipient then do with the simple signed-encrypted message? Sure, there might be other ways: add a message stating to which key the message is encrypted, etc. But this one has the advantage of requiring AFAICT no alteration to the standard, and of being easily automated, for humans are quite poor at remembering to always state to which key they encrypt. Anyway, wouldn't you react differently depending on whether a message was encrypted to your offline key or unencrypted? One should certainly not act differently depending on the encryption of a message. Maybe with the one exception of timeliness: If a message is encrypted, you'll probably be ok with me reading the mail when I'm at my home computer. If a message is encrypted to my offline key, you'll be prepared to wait for a month or so (many people have their offline-key in a safe deposit box). Of course this opens way to subtle timing attacks (delaying reading a message until it is no longer relevant), but these subtle attacks can be done using simpler means (holding the message in transit). Cheers, Johannes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am Sa 04.01.2014, 22:28:26 schrieb Johannes Zarl: Wouldn't one have to encrypt the signed-encrypted-signed message again to prevent an attacker from stripping away the outer signature? What would the recipient then do with the simple signed-encrypted message? That would be possible for an attacker but not make any sense: If the recipient expects the outer signature (only then this feature is a protection like signing is a protection only if the recipient acts differently on signed vs. non-signed messages) then the attacker is discovered without any advantage. There is another reason for creating this fourth layer: Some people want to hide the metadata (who made the signature). One should certainly not act differently depending on the encryption of a message. You are aware that is doesn't make any sense to make this claim without any argument after the opposite has been claimed with an argument (a very strong one)? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am Fr 03.01.2014, 00:33:51 schrieb Doug Barton: On 01/02/2014 09:35 PM, Hauke Laging wrote: | I just noticed that you can easily be deluded about an email being | encrypted: That you receive an encrypted mail does not mean that it | was sent encrypted. An adversary may encrypt a non-encrypted message | (which he has intercepted) in order to create more trust in the | message for the recipient: If you receive critical information and | are aware that it has not been encrypted then you may react | differently from the case where you are sure that is was encrypted. This threat model doesn't make a lot of sense, except for very naive users who cannot distinguish the importance of a message that is encrypted vs. a message (encrypted or not) which is signed. I am quite sure you have misunderstood something. Sorry if I didn't make myself clear. Do you agree that it is (or, depending on the content, can be) an important information whether a message was encrypted by the sender (and for which key)? How can it make little sense to provide this information? Whether it is more important to encrypt a message or to sign it differs a lot with the content. Thus I do not understand your explanation of importance. This is similar to SSL/TLS without client negotiation: The client knows (or: can know) whether it is encrypting for the right server. But the server cannot know whether the legitimate client has started the connection or an MitM attacker. If the server demands certainty about that then it has to require the use of client certificates. But currently there is (AFAIK) no such thing as an analog for the client certificate in the OpenPGP world. The certificate itself is already there, of course, but it is not yet used in a way providing security for the recipient about the confidentiality of the message. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 FYI, your client has horrible line wrapping. If there is a setting, please change it to 72 columns. On 01/03/2014 12:59 AM, Hauke Laging wrote: | Do you agree that it is (or, depending on the content, can be) an | important information whether a message was encrypted by the sender | (and for which key)? Not particularly, no. The message doesn't get encrypted using the sender's key, although it may be encrypted to the sender's key, along with the recipient's. What advantage does it give to the attacker to encrypt a message via MITM? The likely outcome of doing so would be to reveal that they are intercepting messages, for what benefit? That's a legitimate question, not a snark. You seem to be suggesting that this would provide value to the attacker, if so can you elaborate? | How can it make little sense to provide this information? If the sender cares they can insert a statement in their signed message. I did/did not encrypt this message before sending. Problem solved. | Whether it is more important to encrypt a message or to sign it | differs a lot with the content. Thus I do not understand your | explanation of importance. My argument is that the _only_ thing relevant to message validity is the signature on the message itself. Whether it was encrypted or not should play no role in the recipient's calculation of the validity of the message. | This is similar to SSL/TLS without client negotiation: No, it's not at all. But I don't want to quibble about that, I'm still interested in your description of the importance of the encryption itself, separate from the message and signature. Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBCAAGBQJSxn8pAAoJEFzGhvEaGryEulsH/2u1seI5K62Y0Aa5fKI3SRAD eBc8n62Se7sXw8rOXR+Qp5k191Upg1/Po2mkTSpgPjqc47yeAPaj4pHBAQIiAlgC 1iDdb4RveB3zZeJ4HpVgrRR5ap3S8w+SmnDdbul4evVcnuHnzP7zOFOZ5ZgIVnr8 Aoaei1jaaKal6p6qf5FDOA2c/Ni8pALZ8ZaUDNlDOLMpRS02uKZHUJwpx7eCDuKK wvvk6X7nicetiKdklDX31eoabGuhu0ret3BbAwq6EEXaAD6FnPIuhgHcvLZzz6Tj c0XuJD+UYK67p/rm4EdxUdr57rJ3Kr/hKdTjtBVy/l17LZZoXuROa8KSblwtr2U= =aqFY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/03/2014 01:13 AM, Doug Barton wrote: | My argument is that the_only_ thing relevant to message validity | is the signature on the message itself. Whether it was encrypted or | not should play no role in the recipient's calculation of the | validity of the message. Sorry, that's a little bit stronger than I intended. There are of course cases such as, This is odd, every communication I have ever had with Alice about $SUBJECT previously has been encrypted, but this one is not, I wonder if there is a problem here? But for the common case my point remains the fact that a message is encrypted should not enter into the validity calculation. Doug -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBCAAGBQJSxoAjAAoJEFzGhvEaGryE7GsH/0wItxi1Q8kvHU/0dy0mjRkE jgRl0d8njyWVxhx6SDAbyZoAJ6w+oTHz0fdLRhspwvSuKcvrX4Zs0G3Y9Kr18EJg 39rhpedLCijs/Q5x55V/RZR0Wfs3uNP7V58w4nCgL6pzhwgb2xmOarOn7reEuvn2 xFff4NXPAg6xKZpT/5IkT5Y2K0oD/xu7QIWfZKvYpI482QwkVVmZwv5j6sW2p/lm Wbi9Hh0bnhL46YVSoH6Z/Lh/cnwsfL89F5Xl6YHyzInWJhH2nHsRy6KLzZSOx00q Qv9Zli3bx5PvStujwxJ/iGHPgnYCZn2Qjsc/jAp3gSdItcdj4uDIDQGQucRO7lQ= =8OZQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 1/3/2014 3:33 AM, Doug Barton wrote: This threat model doesn't make a lot of sense, except for very naive users who cannot distinguish the importance of a message that is encrypted vs. a message (encrypted or not) which is signed. I'm going to cautiously disagree. What we call very naive users account for the vast majority of GnuPG users. Unfortunately, that's as far as my disagreement goes. I see what Hauke's getting at, but I disagree that it really amounts to much of a problem, or that his proposed fix would work. The real problem Hauke's discovered is, people generally don't have the educational background to think formally and critically about trust. Which is, well, true -- but that one's a hell of a hard problem to solve. Everything else (including sign-encrypt-sign schemes) amounts to just ways to try to dodge the real issue. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am Fr 03.01.2014, 01:13:13 schrieb Doug Barton: On 01/03/2014 12:59 AM, Hauke Laging wrote: | Do you agree that it is (or, depending on the content, can be) an | important information whether a message was encrypted by the sender | (and for which key)? Not particularly, no. The message doesn't get encrypted using the sender's key, although it may be encrypted to the sender's key, along with the recipient's. That's not what I am talking about. I am talking about the recipient having keys with different security levels. So there are keys I (insecure) and S (secure). By insecure I mean a key like the one which signs this email: Being used on a normal system (i.e. an insecure one; oh no, in a moment Rob will notice that I used secure and insecure again...). If data is so important that it shall not be encrypted for my key I but for my key S only then I want to be sure that it has been encrypted by the sender for S. That the message which arrives at me is encrypted for S does not ensure this. Anyone can encrypt messages for my key. What advantage does it give to the attacker to encrypt a message via MITM? As I said: If a normal user (i.e. one with nearly no security clue at all) starts an email conversation without encryption (or with weak encryption) and I notice that (because the message arrives unchanged) then I will tell the sender to change his behaviour. He will probably to that and the communication becomes secure. It is in the interest of an adversary to prevent the communication from becoming secure. The likely outcome of doing so would be to reveal that they are intercepting messages, In my opinion it is very unlikely that this would be revealed. There are people who like to get everything encrypted and those who prefer to get only important data encrypted. Every serious adversary will know what type his target is. This is more or less a public information. So if somebody wants everything encrypted why should he ever ask or mention that? It is possible, yes. Thanks for encrypting your messages. Who does that? And how many senders unfamiliar with crypto would understand from that that their message has been modified? Maybe a nice feature of their great ISP? Even worse with asking such a sender whether he has used the right recipient key. Probably he will not even understand the problem or misassess the situation. And if the recipient expects only important data to be encrypted then the adversary would encrypt only important data (which may be hard to decide automatically though but who would notice a minute delay under normal circumstances?). And why should the adversary not risk being detected? We encrypt because we assume that there are adversaries. | How can it make little sense to provide this information? If the sender cares they can insert a statement in their signed message. I did/did not encrypt this message before sending. Problem solved. Yes. But why should the sender care? The sender can be sure about doing it right! The recipient is the one who cannot. And why should we bother writing that in every mail if there is a simple automatic solution to it? You cannot even be sure that the information is correct! People make mistakes. My argument is that the _only_ thing relevant to message validity is the signature on the message itself. I do not doubt that in any way but my argument isn't about validity at all. It is about guaranteed confidentiality! That is a big difference. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am Fr 03.01.2014, 10:02:28 schrieb MFPA: OpenPGP's mitigation against this is signing emails, and the web of trust to give assurance who signed. That's exactly why I want signatures. But I do not only want a signature which guarantees the data integrity, I want a(nother) signature which guarantees the (correct) encryption. You mean the recipient has 2 keys, one of which the adversary has compromised? And the adversary intercepts and decrypts mail that is encrypted to the compromised key, then sends it on its way encrypted to the non-compromised key? Yes, that is the more complicated case. Again, this would be flagged up if the sender was in the habit of signing outgoing messages (as you stated). No, it wouldn't. The reason is that the signature is created the same way in the two cases encrypted and non-encrypted. Thus you can apply encryption later with the recipient having no chance at all to determine who encrypted. (this may mean that you sign it twice: once before and once after encryption). Is that better than the usual signing and encryption carried out together? It is better with respect to ensuring the encryption. It has disadvantages, though, otherwise we wouldn't do it the other way round. Proving the authenticity becomes more difficult if there is no signature within the encryption because a third party cannot encrypt the data. You would need to give them the session key. Who is capable of doing that? Furthermore you cannot know whether an encrypted message has been signed within. That may be an advantage in certain situations. You can send an encrypted message anonymously. That is not possible with my proposal (you would have to add a fourth layer... not difficult though). But I do not suggest to make my configuration the default. I just want to be able to use it. Sometimes it's best to send a signed cleartext message, sometimes to send an unsingned encrypted message, sometimes a first signed then encrypted message and I want to stress that sometimes it's best to send a first encrypted then signed (or signed-encrypted- signed) message. Both your examples seem to involve encrypted-only and not signed messages, The problem is the same with signed and unsigned messages. so would be unaffected by introducing additional signature options. I don't understand that statement. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Am Fr 03.01.2014, 04:28:38 schrieb Robert J. Hansen: or that his proposed fix would work. Would you explain how that shall be avoided? You send an email to me. You encrypt it to the key which I want you to encrypt it to. Then you sign the encrypted data. If I receive an email from you which is not encrypted and signed (as the outer layer) then I go on red alert. Like today I might if the message is not encrypted or not signed. How shall THEY create an encrypted-signed message if you have e.g. sent it without encryption? The adversary needs your signing key. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 1/3/2014 4:57 AM, Hauke Laging wrote: Would you explain how that shall be avoided? I already did, in quite clear language. You are trying to solve a social problem (people don't have the background to think formally about trust issues) via technological means (if we just change the way we sign...). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 03/01/14 10:57, Hauke Laging wrote: If I receive an email from you which is not encrypted and signed (as the outer layer) then I go on red alert. Like today I might if the message is not encrypted or not signed. How do you know the sender doesn't have an unencrypted copy of the message in an easily broken into online backup service? The encryption of one copy of a message doesn't imply the confidentiality of all copies that exist. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Fri, Jan 03, 2014 at 06:21:05AM -0500, Robert J. Hansen wrote: On 1/3/2014 4:57 AM, Hauke Laging wrote: Would you explain how that shall be avoided? I already did, in quite clear language. You are trying to solve a social problem (people don't have the background to think formally about trust issues) via technological means (if we just change the way we sign...). I think the need for such a fix could also be highlighted in the following example. I sign the message Got to talk tomorrow at dawn, then send it to Alice, thinking about the cake for the birthday party, not important so not encrypting it. Bob grabs the message, and sends it encrypted to Alice's highest security key. Alice then thinks it is a really important message, and the matters to discuss are really important. She takes with her the top secret files we are working together on. Bob, knowing the place and date of the meeting, then comes and steals the top secret files. So changing the encryption could break an opsec. I'm not saying it would be useful everyday. But some use cases seem to require it. However, I'm not saying this feature should be included by default, as a fix would be easy (call gpg twice), and I can think of few use cases. BTW, is a timestamp included in the signature? If not, it could lead to similar issues. Cheers, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 01/03/2014 08:12 AM, Leo Gaspard wrote: So changing the encryption could break an opsec. If someone's opsec is based on the question of whether a message was encrypted or not, then they've probably got their cart before their horse too. opsec requirements should indicate whether you encrypt, not the other way around. BTW, is a timestamp included in the signature? If not, it could lead to similar issues. Yes, all OpenPGP signatures generated by standards-compliant tools include a timestamp: https://tools.ietf.org/html/rfc4880#section-5.2.3.4 --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 01/03/2014 12:35 AM, Hauke Laging wrote: From the RfC perspective (PGP/MIME) this should not be a problem; you just need another level of nesting. Maybe the mail clients are not even prepared for reading such messages. That would not surprise me but would not be an argument against one client implementing this as the first one. I am interested in general arguments for and against this. it sounds to me like you might be interested in what the S/MIME community calls triple-wrapping, which is used to provide cryptographic proof-of-origin and attribute-handling for intermediate transport agents: http://www.isode.com/whitepapers/smime-military-messaging.html https://bugzilla.mozilla.org/show_bug.cgi?id=380624 That said, triple-wrapping (or similar approaches) have tradeoffs that we might not want to encourage. For example, they leak metadata about who signed the message to anyone who observes it in transit; this is not the case for the traditional sign-then-encrypt layering. metadata gathering is a fruitful surveillance technique. but at its core, i think the problem you're raising is related to a fundamental (but probably common) misunderstanding: people assume that if something is encrypted to them then that is related to some signal from the message author, even though asymmetric encryption has nothing to do with authenticity or verifiability. I don't think you're going to solve that particular problem by having some e-mails have an extra layer of signature on them. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
Il 03/01/2014 11:28, Hauke Laging ha scritto: But I do not suggest to make my configuration the default. I just want to be able to use it. Sometimes it's best to send a signed cleartext message, sometimes to send an unsingned encrypted message, sometimes a first signed then encrypted message and I want to stress that sometimes it's best to send a first encrypted then signed (or signed-encrypted- signed) message. I can't come up with a situation where sign, encrypt, sign again w/ *same* key used in the first signature gives more security than first encrypt then sign. So two layers are enough. I (partially) get your point: receiving an encrypted message could mislead an uneducated user... But I doubt someone w/ access to top secret material falls in that category :) BYtE, Diego. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On Fri, Jan 03, 2014 at 12:50:47PM -0500, Daniel Kahn Gillmor wrote: On 01/03/2014 08:12 AM, Leo Gaspard wrote: So changing the encryption could break an opsec. If someone's opsec is based on the question of whether a message was encrypted or not, then they've probably got their cart before their horse too. opsec requirements should indicate whether you encrypt, not the other way around. Well... So, where is the flow in my example? This example was designed so that, depending on the level of encryption (and so the importance of the safety of the message according to the sender), the message had different meanings. Sorry, I can't see yet where I went wrong. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 01/03/2014 06:56 PM, Leo Gaspard wrote: On Fri, Jan 03, 2014 at 12:50:47PM -0500, Daniel Kahn Gillmor wrote: On 01/03/2014 08:12 AM, Leo Gaspard wrote: So changing the encryption could break an opsec. If someone's opsec is based on the question of whether a message was encrypted or not, then they've probably got their cart before their horse too. opsec requirements should indicate whether you encrypt, not the other way around. Well... So, where is the flow in my example? This example was designed so that, depending on the level of encryption (and so the importance of the safety of the message according to the sender), the message had different meanings. As you've noticed, the sender cannot verifiably communicate their intent by their choice of encryption key. If the sender wants to communicate their intent in a way that the recipient can verify it, they'll need to sign something. In your example, the fact that a message was encrypted makes the recipient treat it as though the sender had indicated something specific about the message because it was encrypted. This is bad policy, since there is no indication that the sender encrypted the message themselves, or even knew that the message was encrypted. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sign encrypted emails
On 01/03/2014 01:28 AM, Robert J. Hansen wrote: On 1/3/2014 3:33 AM, Doug Barton wrote: This threat model doesn't make a lot of sense, except for very naive users who cannot distinguish the importance of a message that is encrypted vs. a message (encrypted or not) which is signed. I'm going to cautiously disagree. What we call very naive users account for the vast majority of GnuPG users. I don't necessarily disagree with you on that. :) Unfortunately, that's as far as my disagreement goes. I see what Hauke's getting at, but I disagree that it really amounts to much of a problem, or that his proposed fix would work. The real problem Hauke's discovered is, people generally don't have the educational background to think formally and critically about trust. Which is, well, true -- but that one's a hell of a hard problem to solve. Everything else (including sign-encrypt-sign schemes) amounts to just ways to try to dodge the real issue. Yes, that is the point I was trying to get across. ... and I did actually suggest a solution to the problem Hauke is (ostensibly) trying to solve. The sender can include a statement in their signed message regarding whether or not they also encrypted it before sending. However I would still argue that doing so would have no real benefit. Thinking further, what *may* be useful would be for the mail client to pop up a message that says something similar to, This message was encrypted, but not signed. No assumptions should be made about the validity of the message itself. In the end however there is no substitute for user education. :-/ Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
sign encrypted emails
Hello, this is not a GnuPG problem. GnuPG is capable of doing what I want. But I am interested in your opinion. I just noticed that you can easily be deluded about an email being encrypted: That you receive an encrypted mail does not mean that it was sent encrypted. An adversary may encrypt a non-encrypted message (which he has intercepted) in order to create more trust in the message for the recipient: If you receive critical information and are aware that it has not been encrypted then you may react differently from the case where you are sure that is was encrypted. Or similar: A message is encrypted to a low security key which has been compromised (unnoticed by the recipient). The adversary decrypts the message ans reencrypts it to a more secure key. This can be detected by asking the sender (which noone would do every time) or by signing the encrypted message (this may mean that you sign it twice: once before and once after encryption). I would like to ask mail client developers to add this feature. But before I would like to hear opinions whether that makes sense. From the RfC perspective (PGP/MIME) this should not be a problem; you just need another level of nesting. Maybe the mail clients are not even prepared for reading such messages. That would not surprise me but would not be an argument against one client implementing this as the first one. I am interested in general arguments for and against this. I have tried to create a test file. Unfortunately I am not sure whether I have done that correctly. I am familiar with checking MIME signatures with gpg directly but creating a message is a different story: http://www.crypto-fuer-alle.de/docs/sign-encrypt-sign/demo.mbox KMail ignores the outer signature layer in its main window but shows the structure correctly in the lower part of the window. That could mean that my file is correct but KMail not prepared to display it correctly. Enigmail tells me that might be a signed message but doesn't show anything. If I encrypt some text manually and paste it as body content in a PGP/MIME mail which gets signed and encrypted then KMail shows all three layers in its main window. This could indicate that KMail is capable of handling three layers but that my test file is incorrect. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users