A weakness in PGP signatures, and a suggested solution (long)

Jeffrey Goldberg cc047 at Cranfield.ac.uk
Thu Jan 11 09:18:32 PST 1996


-----BEGIN PGP SIGNED MESSAGE-----

[I am posting this to exactly the same groups that the original was posted
 to.  If someone feels that the distribution should be more limited please
 restrict the follow-ups.  I have also mailed a copy to the original 
 poster.]

On Wed, 27 Dec 1995, Dr. Dimitri Vulis wrote:

> Bob once sent Carol an e-mail that looked like this:
> 
> -----------------------------------------------------------------------
> From: Bob at boxb
> To: Carol at boxc
> Date: 25 Dec 1965
> Subject: Carol, we're history
> Message-ID: <111 at boxb>
> 
> ----BEGIN PGP SIGNED MESSAGE----
> 
> I no longer wish to go out with you. Merry Christmas!
> 
> ----BEGIN PGP SIGNATURE----
> Version 2.6.2
> 
> 12341234...
> 
> ----END PGP SIGNATURE----
> 
> -----------------------------------------------------------------------
> 
> Carol can forge an e-mail to Alice that looks like this:
> 
> -----------------------------------------------------------------------
> From: Bob at boxb
> To: Alice at boxa
> Date: 25 Dec 1995
> Subject: Alice, we're history
> Message-ID: <222 at bobb>
> 
> ----BEGIN PGP SIGNED MESSAGE----
> 
> I no longer wish to go out with you. Merry Christmas!
> 
> ----BEGIN PGP SIGNATURE----
> Version 2.6.2
> 
> 12341234...
> 
> ----END PGP SIGNATURE----

I have omitted the other scenarios for reasons of space.  All of
them are based on the fact that information about the intended
recipient (including newsgroup) is not part of the information signed.

I proposal is made for a mechanism to have some header information
signed as well.

I don't think that such a thing needs to be build into pgp, but might
be included in pgp/MUA interfaces.

I also think that the crucial lesson here is to take the analogy to
signature on paper more seriously.  Imagine that paper documents were
reproducible in a way that made the original indistinguishable from
copies.  Under search circumstances you would never sign something like:

   I agree to give you my house plus $30,000 in exchange for your house.
                                            (signature)

For the same reasons that you would never sign something like that (without
specifying the individuals and the properties in question), you shouldn't
sign an electronic when the interpretation of the document is a function
of whose hands its in.  As with the paper document, you would never
rely on its interpretation depending on the name on the envelope, you
shouldn't rely on the headers.

As for the recipient, the signature determines responsibility for the
signed portion, but not for the act of sending the document.

The only difference between paper and E-docs is that with paper there
is a distinction between the original and copies.

The lesson is not so much that we should change pgp, but that we should
pay very careful attention to what we sign. 

- -jeff

Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
 Cranfield Computer Centre      FAX         751 814
 J.Goldberg at Cranfield.ac.uk     http://WWW.Cranfield.ac.uk/public/cc/cc047/
      "An `alternative paradigm' is the first refuge of the incompetent" --LM


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by mkpgp, a Pine/PGP interface.

iQCVAgUBMPQNUBu6nIqxqP+5AQGHxgQAunhff6dV0eCXuVe6w+t0KWELlfjx3Iu4
SrKKo/DB+yWYDn+UVsFPyqvG64qmBxSaLLT95S3rbJEPklpRteN2+8Z94O5PxvL4
Q0OfGSX7oPN2Hwl3hkbjhwLWMpogcxfg6yle1SsqMCTMj3t8RAdmWD8DAQ9fEVzK
JdSdEXoc37s=
=21Kt
-----END PGP SIGNATURE-----






More information about the cypherpunks-legacy mailing list