[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)

Mike Hearn mike at plan99.net
Wed Feb 11 03:26:01 PST 2015

> Do you say that from a political sense or from a technical sense of
> the S/MIME spec?  I regularly don't sign my emails for a host of
> reasons even though I encrypt them.

S/MIME presumably allows it, as messages done this way are still readable
without errors. But normally you want to authenticate after encryption,
right? Otherwise there can be odd attacks based on bit-flipping that can
result in a message that decrypts successfully but doesn't say what the
sender thought they said. There have been a bunch of crypto exploits based
on this technique over the years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150211/3d79efd3/attachment.html>

More information about the Messaging mailing list