[messaging] On Signed-Only Mails

Trevor Perrin trevp at trevp.net
Wed Dec 7 16:04:41 PST 2016


On Wed, Dec 7, 2016 at 3:34 PM, Bjarni Runar Einarsson <bre at pagekite.net> wrote:
>
> Trevor Perrin <trevp at trevp.net> wrote:
>> On Wed, Dec 7, 2016 at 11:36 AM, Bjarni Runar Einarsson
>> <bre at pagekite.net> wrote:
>>
>> You're relying on a different property: An attacker given
>> (public key, message, signature) can't output a *different* key
>> pair with a public key that also verifies the message.
>
> Not "the message"... "all the messages."
>
> The threshold is trivially configurable. Does that change
> anything, or is it all the same? Or does nobody know since it
> hasn't been well studied?

It definitely changes things, and probably obstructs a lot of the
attacks, but I don't think it's well studied.

There might be other tricks like setting the DSA modulus q to a tiny
value that would let you brute-force search for a key pair that
verifies multiple signatures, if the final comparison is done mod q.
However that would give suspicious public keys that are more likely to
be rejected, so a lot depends on the verification software.


>> But this is still a confused and risky use of signatures, IMO.
>
> I see. How would you recommend I determine whether the whole
> scheme is dangerous and should be abandoned, or if it's still
> better than the status quo?

I think it's best to just include the public key or hash of the public
key directly in the message, if you want the message to uniquely
identify a public key.

According to Max this is now being done - GnuPG signature packets now
contain a SHA-1 fingerprint of the public key - though I don't see it
in Werner's latest draft [1].

Of course, if you do that, then you can just rely on the fingerprint,
not the signature, to identify the public key, so that isn't really an
argument for signatures.

Trevor

[1] https://tools.ietf.org/html/draft-koch-openpgp-rfc4880bis-02


More information about the Messaging mailing list