On 3 December 2016 at 19:13, Trevor Perrin <tr...@trevp.net> wrote: > > On Sat, Dec 3, 2016 at 9:48 AM, Daniel McCarney <dan...@binaryparadox.net> > wrote: >> >> On 03/12, Trevor Perrin wrote: >>> >>> AFAICT the purpose of signed-only emails in [0] is only to signal OpenPGP >>> support to recipients, who would look up the sender's public key through >>> some other mechanism. So the signature doesn't seem important, there? >> >> >> I guess the crux of it is what the signature is over (the message?) and >> which key is used (the private key corresponding to the published public >> key?). Are you saying that it could be a throw away signature over a >> signalling indicator? > > > > If all you need is a signal telling the recipient to encrypt future messages > with a public key fetched via WKD then the signal could be anything: For > example, an email header "X-OpenPGP-WKD: True". No signature needed.
I know nothing of WKD, but if your public key is not associated with content I value, why would I trust some random server to give me a correct key? > Looking at the technical document [1], there seems to be a "fallback method" > where the signed email signals the recipient to encrypt future messages with > a public key fetched from PGP key servers. > > PGP key servers are not a reliable source of data, since anyone can upload a > public key for anyone else's name. So there's a reliability risk here: > Attackers could upload bad PGP keys, causing recipients to get messages they > can't decrypt. Exactly. > So maybe they're thinking that the signature "authenticates" the fetched > public key. But that's an incorrect use of signatures (e.g. see "duplicate > signature key selection", [2]). The right solution for that would be to > include a full key fingerprint in the email (e.g. email header > "X-OpenPGP-Key: <pubkey fingerprint>"). Agree that there needs to be a strong association between the key and the content. > > > Trevor > > > [1] https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept > [2] > https://www.agwa.name/blog/post/duplicate_signature_key_selection_attack_in_lets_encrypt > > > _______________________________________________ > Messaging mailing list > Messaging@moderncrypto.org > https://moderncrypto.org/mailman/listinfo/messaging > _______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
