---------- Forwarded message ---------- Date: Fri, 22 Jun 2001 15:00:33 -0400 From: "Jeffrey I. Schiller" <jis@mit.edu> To: Derek Atkins <warlord@mit.edu> Cc: Don Davis <dtd@world.std.com>, cryptography@wasabisystems.com Subject: Re: crypto flaw in secure mail standards In fact there are many applications where the separation of the signing operation from the encryption operation are useful and important. Encryption provides a different service then the underlying signature. It protects the document from being read by unintended recipients. The signature can provide proof later that the sender did in fact sign the message. It is always the case that one must be careful what one writes in e-mail, for once delivered to the recipient, the sender looses control of the document. In fact this threat even exists in paper mail. If Alice sends Bob a "The deal is off" letter, but doesn't mark the letter with enough context, Bob can always physically forward the letter to a third party and claim it is from Alice. I believe it is important that message signatures outlive the message's encryption layer. If I receive a signed/encrypted message. I will loose the ability to decrypt it if I loose my private key (or intentionally destroy it to prevent its future compromise). However if I remove the encryption and store the message signed (perhaps protected by other mechanisms in my mail store), I can always verify the signature as long as I have access to the sender's certificate chain. No secrets have to be saved. Btw. I don't believe S/MIME has timestamps in its signature format. PGP does. PGP also implements a "for her eyes only" feature that only permits an encrypted message to be displayed, but not saved in a file. Now of course a sufficiently clever person can circumvent this protection. I am now wondering how hard it would be to circumvent this feature *and* keep the original message signature (of course if you have the PGP source code, you can do this). However, having said all this, Don has a point. There may be a class of message where you want to prove that you originated it *only to the original sender*. If he has a way to do that, it sounds like a good thing. But there isn't a flaw in secure e-mail, just a missing service. -Jeff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com