[messaging] On Signed-Only Mails

Ben Laurie ben at links.org
Sun Dec 4 12:14:33 PST 2016


On 3 December 2016 at 19:13, Trevor Perrin <trevp at trevp.net> wrote:
>
> On Sat, Dec 3, 2016 at 9:48 AM, Daniel McCarney <daniel at binaryparadox.net>
> wrote:
>>
>> On 03/12, Trevor Perrin wrote:
>>>
>>> AFAICT the purpose of signed-only emails in [0] is only to signal OpenPGP
>>> support to recipients, who would look up the sender's public key through
>>> some other mechanism.  So the signature doesn't seem important, there?
>>
>>
>> I guess the crux of it is what the signature is over (the message?) and
>> which key is used (the private key corresponding to the published public
>> key?). Are you saying that it could be a throw away signature over a
>> signalling indicator?
>
>
>
> If all you need is a signal telling the recipient to encrypt future messages
> with a public key fetched via WKD then the signal could be anything:  For
> example, an email header "X-OpenPGP-WKD: True".  No signature needed.

I know nothing of WKD, but if your public key is not associated with
content I value, why would I trust some random server to give me a
correct key?

> Looking at the technical document [1], there seems to be a "fallback method"
> where the signed email signals the recipient to encrypt future messages with
> a public key fetched from PGP key servers.
>
> PGP key servers are not a reliable source of data, since anyone can upload a
> public key for anyone else's name.  So there's a reliability risk here:
> Attackers could upload bad PGP keys, causing recipients to get messages they
> can't decrypt.

Exactly.

> So maybe they're thinking that the signature "authenticates" the fetched
> public key.  But that's an incorrect use of signatures (e.g. see "duplicate
> signature key selection", [2]).  The right solution for that would be to
> include a full key fingerprint in the email (e.g. email header
> "X-OpenPGP-Key: <pubkey fingerprint>").

Agree that there needs to be a strong association between the key and
the content.

>
>
> Trevor
>
>
> [1] https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept
> [2]
> https://www.agwa.name/blog/post/duplicate_signature_key_selection_attack_in_lets_encrypt
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>


More information about the Messaging mailing list