[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openpgp] Intended Recipient Fingerprint signature subpacket



On 3/5/2018 at 6:20 PM, "Vincent Breitmoser" <look@my.amazin.horse> wrote:
>
>Hey folks,
>
>dkg and I have been discussing an "Intended Recipient Fingerprint"
>subpacket, that pins a signature to be valid only in an encrypted
>context to the indicated recipient.
>
>Use of this subpacket removes some wiggling room for 
>signed+encrypted
>messages.  This can be used to prevent replay attacks, where a 
>signature
>is taken out of its context and forwarded to a different recipient.

======

In principle, it's a good idea.

But, the attacker could still send it along as a clearsigned message, and if the recipient accepts the message at face value, the attack succeeds.

There is really no substitute for fixing this in the context of the message itself.  Anything signed, should mention the person addressed in the text of the message.


Example:

message [1]

=====[begin text of message to be signed and encrypted to Bob]=====

Hi Bob,

Thanks for everything!

Love,

Alice

=====[end text of message to be signed and encrypted to Bob]=====


as opposed to this,

message [2]:

=====[begin text of message to be signed and encrypted to Bob]=====

Thanks for everything!

Love,

Alice

=====[end text of message to be signed and encrypted to Bob]=====


If at some later time, Bob and Alice had a falling out, Bob could send the second message to John, (a not so good friend of Alice). who now thinks Alice 'loves' him.

Bob could obviously never do this with the first message in the above example.

Again, more of an issue to be put in an advisory caution in the new rfc, rather than designing a new packet,  but if the new packet is easy to implement, then great.


vedaal

_______________________________________________
openpgp mailing list
openpgp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/openpgp