[messaging] On Signed-Only Mails
trevp at trevp.net
Wed Dec 7 16:04:41 PST 2016
On Wed, Dec 7, 2016 at 3:34 PM, Bjarni Runar Einarsson <bre at pagekite.net> wrote:
> Trevor Perrin <trevp at trevp.net> wrote:
>> On Wed, Dec 7, 2016 at 11:36 AM, Bjarni Runar Einarsson
>> <bre at pagekite.net> wrote:
>> You're relying on a different property: An attacker given
>> (public key, message, signature) can't output a *different* key
>> pair with a public key that also verifies the message.
> Not "the message"... "all the messages."
> The threshold is trivially configurable. Does that change
> anything, or is it all the same? Or does nobody know since it
> hasn't been well studied?
It definitely changes things, and probably obstructs a lot of the
attacks, but I don't think it's well studied.
There might be other tricks like setting the DSA modulus q to a tiny
value that would let you brute-force search for a key pair that
verifies multiple signatures, if the final comparison is done mod q.
However that would give suspicious public keys that are more likely to
be rejected, so a lot depends on the verification software.
>> But this is still a confused and risky use of signatures, IMO.
> I see. How would you recommend I determine whether the whole
> scheme is dangerous and should be abandoned, or if it's still
> better than the status quo?
I think it's best to just include the public key or hash of the public
key directly in the message, if you want the message to uniquely
identify a public key.
According to Max this is now being done - GnuPG signature packets now
contain a SHA-1 fingerprint of the public key - though I don't see it
in Werner's latest draft .
Of course, if you do that, then you can just rely on the fingerprint,
not the signature, to identify the public key, so that isn't really an
argument for signatures.
More information about the Messaging