J. Wren Hunt wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Ian G wrote:
|
| Right, but considering that this is *email*
| and CAs are simply some optional extra to do
| with commercial users (and we saw what they
| want) then when it comes to *email* there is
| no need to bash anyone's head over any issue.
|
| In email, you and I know each other and we
| don't need any CA to tell us that.
|
Well, I know who you purport to be. And currently I have no reason to
doubt that you are indeed the esteemed Ian G! ;-) But I receive emails
on a daily basis from those purporting to be from the late Yassir
Arafat's widow, and the personal barrister of the late Mbeke Sese-Sese
Seiko, etc., Do I believe them? Not likely. If I'm doing correspondence
from someone whom I already have a close relationship with, for example
family members, then an anonymous cert works perfectly. Any attempt at
subterfuge (e.g., forging, etc.,) would most likely be easily detected
as you *know* their writing styles, etc., Not so from a person who's
persona you may be familiar with but not known to you personally (as
would might be the case with many participants on this list to one
another).
Right, exactly. But the scenario you describe
is not real world. Are you likely to do
business with someone who purports to be the
late Yassir Arafat's widow and she has a cert
that just so happens to claim that?
How many times have you ... needed to know
who someone was, and then relied upon their
cert? Me, I'd just pick up the phone. Not
because the cert might be wrong, but because
it doesn't say anywhere near enough to be
reliable for a judgement that might be worth
paying for.
We all know the standard story about how you
can't trust people over the net. What I'm
saying is that for email, certs don't change
that. They just don't enter into real life
calculations for the average user. Even if
the certs were deployed in a massive basis,
and even if users understood them, they would
not rely on them. They'd pick up the phone.
(For commerce, that might be different,
although Simson's paper might suggest otherwise.)
So using the S/MIME infrastructure is strongly
pointed at getting some encryption out there.
That could be done any way we like, but making
it depend on signing or CAs will kill it (or
has already killed it).
| So what does it mean?
|
| In OpenPGP, there is no defined meaning to
| signing in the code or spec, so it means
| ... whatever the signer wanted it to mean.
|
It takes two to form a relationship. So it's the receiver as well as the
sender.
Let the receiver beware! A relationship
may say something about a signature's meaning,
but there is nothing in the tech or the dox
that might back that up. That's why an OpenPGP
signature is worth whatever the relationship
says its worth. Perfect!
| Which is *safe*. Sign away, it's whatever
| you want it to mean.
|
If a person wants to be "Batman" and another "Robin", as long as they
are comfortable with these personas then this model works for them.
Right, and if I sign as Iang, and I also go
around saying my sig is my word is my bond,
and let's do deals, then I've created an
expectation that my signature has meaning.
Again it takes two parties to agree to a contract. I'll never digitally
sign anything that I wouldn't not hand-sign. But if you can recognize my
physical handwriting then why not its digital counterpart? I can
repudiate or not-repudate both my physical and digital signatures as
needed. I fail to follow your logic here for non-signing.
How do you know you can repudiate your S/MIME sig?
The RFC says it is non-repudiable, and some laws
say the same thing.
The logic is quite simple. Unless we can
define with reasonable certainty what the
signature means, then don't do it. It might
be used against you in the future.
OpenPGP's sig is quite well defined as undefined.
So it's up to you. S/MIME's sig however is not
undefined, but has meaning. I just don't know
what it is, so if I were to use it, I would be
signing without knowing what I was doing.
(And the same applies to everyone who doesn't
know what it is. Which is most all of us.)
| What specifically I am referring to there is that
| the S/MIME application has decided to make its
| operation *dependent* on signed emails. That's
| not good, neither from an architectural pov nor a
| meaning pov (as described above).
|
No, it's not dependent. Just heavily used by most MUAs.
Sure. In terms of deployment, "heavily used" and
relied up on for key exchange is close enough to
what I mean.
|> Most usually this is done via sending a signed-message beforehand. You
|> may opt to have him ftp/telnet/ssh/carrier-pigeon the key, but
|> nonetheless you gotta have it.
|
|
| Right, so send an email with the key. Just don't
| force it to be a signed email, or don't hide the
| key exchange such that users are encouraged to
| "turn on siging" so as to get the key exchange.
|
You're welcome to pluck mine off my various web pages. But I (and many
of my other correspondents) find it easier to exchange the keys via the
MUA signing capabilities.
Absolutely, it's the only way it will fly; if
the keys are delivered in emails. Things like
webpages (and I plucked your PGP key for example)
are for techies, not average users.
| Coming back to the here and now ... I suppose the
| workaround is to turn off signing, and send an
| empty signed email to anyone you want to communicate
| with. OK, I can live with that!
|
| But it does make S/MIME much more clunky and less
| likely to deploy.
|
No. Simson's article (and one's own gut feel) shows us that people don't
understand the signatures. Not how they got the signatures in the first
place...
I'm not sure I follow that. They got the sigs
because Amazon made an explicit decision to start
signing its invoices. It was done for a specific
commercial purpose, and one can expect that
Amazon knew what the signatures meant, or had a
view of what they had decided they meant, or are
big enough and ugly enough to take their punishment
if ever called to do so.
What Simson showed was not only that the users
didn't know what that meaning was (no big deal)
but the users didn't even understand what the
question was. They are basically unaware and/or
confused about the entire process.
( Oh, unless you mean, because Simson's article
showed people didn't know what the sigs meant,
it's the same as OpenPGP and therefore safe to
use signatures? No, that can't work. If there
are digsig laws that kick into play, or other
contracts elsewhere, then one can't rely on
such loose possibilities. But perhaps you
didn't mean that. )
Fun debate!
(Does anyone else think the current spam attack
on the security list is a DOS against our Tbird
bayesian filter?)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
