*There are valid use cases when the sender does not wish his identity to be revealed* - let alone ascertained with non-repudiation. For example, consider a whistleblower submitting a report.
I didn't think such a question would even come up, so obvious this is. On Mon, Nov 14, 2016 at 12:44 PM, <[email protected]> wrote: > I didn't manage to make in time before the issue was closed. > > We really don't have to use signing to verify the sender's authenticity. > We can use a shared secret for this. This may give us more flexibility at > the expense of no automated checks. > > But there is a theoretic case when signing is > > *undesired!*Two people, Alice and Bob, want to rob a bank. Alice has > contacts in the bank and will know in advance when the right time is. So > the two decide that Alice will send an encrypted message to Bob when she > knows. The message will have a trailing "Dammit! Dammit! Dammit!" string at > the end. (this is our shared secret). > > Of course Alice doesn't want to sign her message - Bob will verify that's > she by the "Dammit! Dammit! Dammit!" phrase, and if there were a signature > - it would be going to be shown in court if the message gets decrypted. So, > for Alice, the best option is to send an encrypted message with the shared > secret appended. > > In other words - sending messages without signing them *is a valid > security model provided we check the authenticity by other means.* For > example by quoting the previous message - this is a valid shared secret! > > Of course, the Alice and Bob example is not a real life one, but one can > easily deduce a similar case in real life, when one doesn't want to have a > signature so that it's never shown in court. > > -- > You received this message because you are subscribed to the Google Groups > "K-9 Mail" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Regards, Mouse -- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
