Date: Tue, 29 Nov 2016 09:25:45 +0000 From: Peter Gutmann <pgut...@cs.auckland.ac.nz>
Vincent Breitmoser <look@my.amazin.horse> writes: >In some more detail: >https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html > >[...] Signed-Only Mails are Useless [...] Yup, and it's for exactly the reasons given there that the S/MIME WG decided many years ago not to sign messages sent to the list. Courts, similarly, rule on the intent of the signer, not some attached bag of bits (see e.g. Steven Mason's excellent "Electronic Signatures in Law"). So while I wouldn't go so far as to call them harmful, I'd agree that they're mostly useless, unless you're using one to make some special point. Even then, if it's for legal purposes, a court will look at almost everything but the signature when deciding on its effect. Courts are not the only imaginable threat model for nonrepudiation of a sender's message[1]. End-to-end authentication is important for preventing forgery of conversations between two parties, but of the two ways to accomplish that -- signatures, where anyone can verify, vs authenticators, where only recipient can verify -- signatures work against the sender's interest with no benefit over authenticators in the vast majority of private messages. Unfortunately, OpenPGP doesn't have public-key authenticators -- nor authenticated encryption, and likewise S/MIME[2] -- so it's kludged up by an ad hoc composition of signature and encryption that fails to bind the sender and recipient, which has long been known to enable the recipient of a private message to resend it for comic effect or worse[5]. [1] Rob Graham, `Politifact: Yes we can fact check Kaine's email', Errata Security blog, 2016-10-23. http://blog.erratasec.com/2016/10/politifact-yes-we-can-fact-check-kaines.html [2] Except perhaps for static-static DH mode described in RFC 2631[3], but I've never seen evidence that anyone has ever used it in practice, and have seen evidence of avoiding it[4]. [3] Eric Rescorla, `Diffie-Hellman Key Agreement Method', RFC 2631, June 1999. https://www.ietf.org/rfc/rfc2630.txt [4] `The following features are lower in priority and are not likely to be included in version 1.0 [of the Mozilla S/MIME toolkit]: CMS: Static-static Diffie-Hellman Key Agreement Protocol (SSDH) (RFC2630 12.3.1.1)' http://www-archive.mozilla.org/projects/security/pki/nss/smime/ [retrieved 2016-11-29] [5] Don Davis, `Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML', 2001-05-05. http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
