OPT: Re: crypto flaw in secure mail standards (fwd)

Jim Choate ravage at einstein.ssz.com
Fri Jun 22 14:44:34 PDT 2001



---------- Forwarded message ----------
Date: Fri, 22 Jun 2001 15:00:33 -0400
From: "Jeffrey I. Schiller" <jis at mit.edu>
To: Derek Atkins <warlord at mit.edu>
Cc: Don Davis <dtd at world.std.com>, cryptography at wasabisystems.com
Subject: Re: crypto flaw in secure mail standards

In fact there are many applications where the separation of the
signing operation from the encryption operation are useful and
important.

Encryption provides a different service then the underlying
signature. It protects the document from being read by unintended
recipients. The signature can provide proof later that the sender did
in fact sign the message.

It is always the case that one must be careful what one writes in
e-mail, for once delivered to the recipient, the sender looses control
of the document.  In fact this threat even exists in paper mail. If
Alice sends Bob a "The deal is off" letter, but doesn't mark the
letter with enough context, Bob can always physically forward the
letter to a third party and claim it is from Alice.

I believe it is important that message signatures outlive the
message's encryption layer. If I receive a signed/encrypted message. I
will loose the ability to decrypt it if I loose my private key (or
intentionally destroy it to prevent its future compromise). However if
I remove the encryption and store the message signed (perhaps
protected by other mechanisms in my mail store), I can always verify
the signature as long as I have access to the sender's certificate
chain. No secrets have to be saved.

Btw. I don't believe S/MIME has timestamps in its signature
format. PGP does. PGP also implements a "for her eyes only" feature
that only permits an encrypted message to be displayed, but not saved
in a file. Now of course a sufficiently clever person can circumvent
this protection. I am now wondering how hard it would be to circumvent
this feature *and* keep the original message signature (of course if
you have the PGP source code, you can do this).

However, having said all this, Don has a point. There may be a class
of message where you want to prove that you originated it *only to the
original sender*.  If he has a way to do that, it sounds like a good
thing.

But there isn't a flaw in secure e-mail, just a missing service.

			-Jeff



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com





More information about the cypherpunks-legacy mailing list