[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A weakness in PGP signatures, and a suggested solution (long)
- To: [email protected]
- Subject: Re: A weakness in PGP signatures, and a suggested solution (long)
- From: Jeffrey Goldberg <[email protected]>
- Date: Wed, 10 Jan 1996 19:02:54 +0000
- In-Reply-To: <[email protected]>
- Newsgroups: netcraft.cypherpunks,alt.security.pgp,sci.crypt,mail.cypherpunks
- Organization: Sirius Cybernetics Corporation
- References: <[email protected]>
- Reply-To: Jeffrey Goldberg <[email protected]>
- Sender: [email protected]
- Xref: hudson.lm.com alt.security.pgp:49372 sci.crypt:47941 mail.cypherpunks:24167
-----BEGIN PGP SIGNED MESSAGE-----
[I am posting this to exactly the same groups that the original was posted
to. If someone feels that the distribution should be more limited please
restrict the follow-ups. I have also mailed a copy to the original
poster.]
On Wed, 27 Dec 1995, Dr. Dimitri Vulis wrote:
> Bob once sent Carol an e-mail that looked like this:
>
> -----------------------------------------------------------------------
> From: Bob@boxb
> To: Carol@boxc
> Date: 25 Dec 1965
> Subject: Carol, we're history
> Message-ID: <111@boxb>
>
> ----BEGIN PGP SIGNED MESSAGE----
>
> I no longer wish to go out with you. Merry Christmas!
>
> ----BEGIN PGP SIGNATURE----
> Version 2.6.2
>
> 12341234...
>
> ----END PGP SIGNATURE----
>
> -----------------------------------------------------------------------
>
> Carol can forge an e-mail to Alice that looks like this:
>
> -----------------------------------------------------------------------
> From: Bob@boxb
> To: Alice@boxa
> Date: 25 Dec 1995
> Subject: Alice, we're history
> Message-ID: <222@bobb>
>
> ----BEGIN PGP SIGNED MESSAGE----
>
> I no longer wish to go out with you. Merry Christmas!
>
> ----BEGIN PGP SIGNATURE----
> Version 2.6.2
>
> 12341234...
>
> ----END PGP SIGNATURE----
I have omitted the other scenarios for reasons of space. All of
them are based on the fact that information about the intended
recipient (including newsgroup) is not part of the information signed.
I proposal is made for a mechanism to have some header information
signed as well.
I don't think that such a thing needs to be build into pgp, but might
be included in pgp/MUA interfaces.
I also think that the crucial lesson here is to take the analogy to
signature on paper more seriously. Imagine that paper documents were
reproducible in a way that made the original indistinguishable from
copies. Under search circumstances you would never sign something like:
I agree to give you my house plus $30,000 in exchange for your house.
(signature)
For the same reasons that you would never sign something like that (without
specifying the individuals and the properties in question), you shouldn't
sign an electronic when the interpretation of the document is a function
of whose hands its in. As with the paper document, you would never
rely on its interpretation depending on the name on the envelope, you
shouldn't rely on the headers.
As for the recipient, the signature determines responsibility for the
signed portion, but not for the act of sending the document.
The only difference between paper and E-docs is that with paper there
is a distinction between the original and copies.
The lesson is not so much that we should change pgp, but that we should
pay very careful attention to what we sign.
- -jeff
Jeffrey Goldberg +44 (0)1234 750 111 x 2826
Cranfield Computer Centre FAX 751 814
[email protected] http://WWW.Cranfield.ac.uk/public/cc/cc047/
"An `alternative paradigm' is the first refuge of the incompetent" --LM
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by mkpgp, a Pine/PGP interface.
iQCVAgUBMPQNUBu6nIqxqP+5AQGHxgQAunhff6dV0eCXuVe6w+t0KWELlfjx3Iu4
SrKKo/DB+yWYDn+UVsFPyqvG64qmBxSaLLT95S3rbJEPklpRteN2+8Z94O5PxvL4
Q0OfGSX7oPN2Hwl3hkbjhwLWMpogcxfg6yle1SsqMCTMj3t8RAdmWD8DAQ9fEVzK
JdSdEXoc37s=
=21Kt
-----END PGP SIGNATURE-----