Re: secure sign & encrypt

[Derek Atkins <warlord@xxxxxxx>]

Terje Braaten <Terje.Braaten@xxxxxxxxxx> writes:

> I do not quite see the relevance of this. Do you think it is bad
> that Charlie can prove that the message was sent to him from Bob
> and not only signed by Bob?
> If Bob want to prevent this he can sign first and then encrypt,
> instead of using the sign & encrypt function in PGP.

You seem to be under the misconception that "sigh & enrypt" is an
atomic PGP operation.  It is not.  There is "OpenPGP Sign" and there
is "OpenPGP Encrypt", and these two functions _can_ be combined, but
the combination is NOT a single atomic function.  It never was.

All PGP ever had was "first sign and then encrypt".  It was just
user-interface "syntactic sugar" that allows the user to perform both
tasks together.  However, there is no way for a receiver to tell the
difference between a one-pass and two-pass "sign and then encrypt".

> It will still be possible to just sign something. It is only when
> you use sign & encrypt the receivers should be able to be sure that
> the one who signed and the one who encrypted the message is the same
> person.

As I said, there is no "combined sign and encrypt" atomic operation in
OpenPGP (or in regular PGP, for that matter).

> But the point is not to make some human readable boilerplate. The
> point is that OpenPGP software automatically should be able to detect
> if the message has been faked to look like it is created by
> sign & encrypt when it really is not.

What do you mean?  Can you please explain what attack you believe
you are preventing?

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@xxxxxxx                        PGP key available