[messaging] On Signed-Only Mails
Taylor R Campbell
campbell+moderncrypto at mumble.net
Tue Nov 29 07:00:17 PST 2016
Date: Tue, 29 Nov 2016 09:25:45 +0000
From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>
Vincent Breitmoser <look at my.amazin.horse> writes:
>In some more detail:
>https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
>
>[...] Signed-Only Mails are Useless [...]
Yup, and it's for exactly the reasons given there that the S/MIME
WG decided many years ago not to sign messages sent to the list.
Courts, similarly, rule on the intent of the signer, not some
attached bag of bits (see e.g. Steven Mason's excellent "Electronic
Signatures in Law"). So while I wouldn't go so far as to call them
harmful, I'd agree that they're mostly useless, unless you're using
one to make some special point. Even then, if it's for legal
purposes, a court will look at almost everything but the signature
when deciding on its effect.
Courts are not the only imaginable threat model for nonrepudiation of
a sender's message[1].
End-to-end authentication is important for preventing forgery of
conversations between two parties, but of the two ways to accomplish
that -- signatures, where anyone can verify, vs authenticators, where
only recipient can verify -- signatures work against the sender's
interest with no benefit over authenticators in the vast majority of
private messages.
Unfortunately, OpenPGP doesn't have public-key authenticators -- nor
authenticated encryption, and likewise S/MIME[2] -- so it's kludged up
by an ad hoc composition of signature and encryption that fails to
bind the sender and recipient, which has long been known to enable the
recipient of a private message to resend it for comic effect or
worse[5].
[1] Rob Graham, `Politifact: Yes we can fact check Kaine's email',
Errata Security blog, 2016-10-23.
http://blog.erratasec.com/2016/10/politifact-yes-we-can-fact-check-kaines.html
[2] Except perhaps for static-static DH mode described in RFC 2631[3],
but I've never seen evidence that anyone has ever used it in practice,
and have seen evidence of avoiding it[4].
[3] Eric Rescorla, `Diffie-Hellman Key Agreement Method', RFC 2631,
June 1999.
https://www.ietf.org/rfc/rfc2630.txt
[4] `The following features are lower in priority and are not likely
to be included in version 1.0 [of the Mozilla S/MIME toolkit]: CMS:
Static-static Diffie-Hellman Key Agreement Protocol (SSDH) (RFC2630
12.3.1.1)'
http://www-archive.mozilla.org/projects/security/pki/nss/smime/
[retrieved 2016-11-29]
[5] Don Davis, `Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML', 2001-05-05.
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
More information about the Messaging
mailing list