On 03/27/2014 01:39 PM, Michael Rogers wrote: > On 27/03/14 14:53, Daniel Kahn Gillmor wrote: >> For the read-only document-sharing use case, you could stuff the >> public signing key inside the encrypted body, in addition to the >> signed cleartext. There's no need for it to be out-of-band except >> for bandwidth conservation, but a minimal OpenPGP certificate >> (mainkey+uid+selfsig, or mainkey+uid+selfsig+signingsubkey+selfsig >> at worst) isn't going to be too terribly large compared to most >> files. > > This would require prior out-of-band delivery of some other public key > that would sign the key stuffed into the file, right? Otherwise an > attacker could modify the body, sign it with her own private key, and > stuff her own public key into the file.
if all you care about is a MAC, then you don't need certification of the
key out-of-band. stuffing any arbitrary signing key in-band with the
message and a signature over it, and having the recipient verify the
signature, will give you the equivalent of a MAC on an unsigned message.
> All I'm really saying here is that OpenPGP isn't the right tool for
> this job because it lacks MACs. It wasn't meant to be an important
> point, just an aside.
There are certainly systems with less legacy cruft that would be nicer
to use if interop with the installed base of OpenPGP users isn't a
development goal.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
