[messaging] On Signed-Only Mails

Taylor R Campbell campbell+moderncrypto at mumble.net
Tue Nov 29 07:00:17 PST 2016

   Date: Tue, 29 Nov 2016 09:25:45 +0000
   From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>

   Vincent Breitmoser <look at my.amazin.horse> writes:

   >In some more detail:
   >[...] Signed-Only Mails are Useless [...]

   Yup, and it's for exactly the reasons given there that the S/MIME
   WG decided many years ago not to sign messages sent to the list.
   Courts, similarly, rule on the intent of the signer, not some
   attached bag of bits (see e.g. Steven Mason's excellent "Electronic
   Signatures in Law").  So while I wouldn't go so far as to call them
   harmful, I'd agree that they're mostly useless, unless you're using
   one to make some special point.  Even then, if it's for legal
   purposes, a court will look at almost everything but the signature
   when deciding on its effect.

Courts are not the only imaginable threat model for nonrepudiation of
a sender's message[1].

End-to-end authentication is important for preventing forgery of
conversations between two parties, but of the two ways to accomplish
that -- signatures, where anyone can verify, vs authenticators, where
only recipient can verify -- signatures work against the sender's
interest with no benefit over authenticators in the vast majority of
private messages.

Unfortunately, OpenPGP doesn't have public-key authenticators -- nor
authenticated encryption, and likewise S/MIME[2] -- so it's kludged up
by an ad hoc composition of signature and encryption that fails to
bind the sender and recipient, which has long been known to enable the
recipient of a private message to resend it for comic effect or

[1] Rob Graham, `Politifact: Yes we can fact check Kaine's email',
Errata Security blog, 2016-10-23.

[2] Except perhaps for static-static DH mode described in RFC 2631[3],
but I've never seen evidence that anyone has ever used it in practice,
and have seen evidence of avoiding it[4].

[3] Eric Rescorla, `Diffie-Hellman Key Agreement Method', RFC 2631,
June 1999.

[4] `The following features are lower in priority and are not likely
to be included in version 1.0 [of the Mozilla S/MIME toolkit]: CMS:
Static-static Diffie-Hellman Key Agreement Protocol (SSDH) (RFC2630'
[retrieved 2016-11-29]

[5] Don Davis, `Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML', 2001-05-05.

More information about the Messaging mailing list