[messaging] On Signed-Only Mails

Trevor Perrin trevp at trevp.net
Sat Dec 3 11:13:26 PST 2016

On Sat, Dec 3, 2016 at 9:48 AM, Daniel McCarney <daniel at binaryparadox.net>

> On 03/12, Trevor Perrin wrote:
>> AFAICT the purpose of signed-only emails in [0] is only to signal OpenPGP
>> support to recipients, who would look up the sender's public key through
>> some other mechanism.  So the signature doesn't seem important, there?
> I guess the crux of it is what the signature is over (the message?) and
> which key is used (the private key corresponding to the published public
> key?). Are you saying that it could be a throw away signature over a
> signalling indicator?

If all you need is a signal telling the recipient to encrypt future
messages with a public key fetched via WKD then the signal could be
anything:  For example, an email header "X-OpenPGP-WKD: True".  No
signature needed.

Looking at the technical document [1], there seems to be a "fallback
method" where the signed email signals the recipient to encrypt future
messages with a public key fetched from PGP key servers.

PGP key servers are not a reliable source of data, since anyone can upload
a public key for anyone else's name.  So there's a reliability risk here:
 Attackers could upload bad PGP keys, causing recipients to get messages
they can't decrypt.

So maybe they're thinking that the signature "authenticates" the fetched
public key.  But that's an incorrect use of signatures (e.g. see "duplicate
signature key selection", [2]).  The right solution for that would be to
include a full key fingerprint in the email (e.g. email header
"X-OpenPGP-Key: <pubkey fingerprint>").


[1] https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20161203/b1f55805/attachment.html>

More information about the Messaging mailing list