Re: Recipient-verifiable messages, was: forwarding an encrypted P GP message is useless

[Derek Atkins <derek@xxxxxxxxx>]

Terje Braaten <Terje.Braaten@xxxxxxxxxx> writes:

> > >> 	Encrypt_Bob(K), Encrypt(K, Sign_Alice(Hash(K||Bob_PK)), msg)
> > >>
> > >> with the additional restriction that the encryption mode 
> > should be one
> > >> of the MDC modes (ie appended MAC with K outside encryption, or
> > >> appended hash of msg inside encryption).
> 
> What a wonderful solution. Hello everybody, we go ahead and change
> the next version of the protocol to this. Ok?

No.  It is definitely not ok.  This breaks backwards compatibiltiy
with implementations of 2440.

No matter what you do it should be backwards compatible with existing
software.  Current implementations should still be able to read it,
even if they don't understand it.

My two suggestions still remain:

  1) Write up an RFC that defines how to use a notation packet to do
     what you want, where that notation packet is included in the
     signature.  Within that notation you can store the original
     recipients list.

  2) Write up an RFC that defines how to use 2440 packets in ESE mode.
     I'm fairly sure that most of the existing 2440 implementation can
     read an ESE message (at least if they implemented their parser
     recursively like I did in PGP 5).

Either of these solutions solve your problem _AND_ remain
2440-compatible.

-derek
-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@xxxxxxxxx             www.ihtfp.com