Re: Fwd: Surreptitious Forwarding

> - We might as well be clear that this pertains to the cipher
>   and plain text.
> - Again, since my confusion on your point is still a valid
>   warning, might as well retain both.
> - Again, since we're warning folks, doesn't hurt to extend the
>   warning to any sort of 'envelope' (e.g., a base64 encoding).

hi, joseph --

   i'm sorry, but i don't agree that we "might as well"
conflate the issue i've raised with these axioms of
public-key messaging:

    * encryption of plaintext doesn't authenticate the
      origion of the plaintext;
    * unsigned message-headers aren't secured;
    * unsigned & unencrypted envelopes aren't secured.

my point is not axiomatic. though anyone who understands
the technology can easily derive my point from the axioms,
my point isn't as obvious to a nonspecialist.  thus, by
folding the axioms' restatements into my warning, we
would accidentally ensure that my point remains obscure
and unavailable to a nonspecialist. since my point is
about clearly addressing a cryptographic nuance, it does
hurt clarity to mix other issues into the presentation
of my point.

   because my paper addresses only signed-&-encrypted
messages and this usability issue that they raise, i
now believe that both XML-Enc and XML-Sig should carry
the same warning text:

      "When an encrypted envelope contains a signature,
       the signature does not protect the authenticity
       or integrity of the ciphertext, even though the
       signature does protect the integrity of the plaintext.
       Accordingly, most applications should take care
       to prevent the unauthorized replacement of the
       encrypted envelope."

					- don davis, boston


-------------------------------------------------------------
>Don,
>
>Thanks for the clarification.
>
>At 23:14 7/26/2001, Don Davis wrote:
>>for Xml-Enc, I'd suggest:
>>
>>    "Also, recipients of encrypted messages must remember
>>     that encryption itself does not imply anything about
>>     the integrity or authenticity of the ciphertext."
>
>Now reads:
>>Also, recipients of encrypted messages must remember that encryption itself
>>does not necessarily imply anything about the integrity or authenticity of
>>the ciphertext or its plaintext, see [XMLDSIG, 8.1.1 Only What is Signed is
>>Secure].
>
>- We might as well be clear that this pertains to the cipher and plain text.
>- I added 'necessarily' to address Steve's point that use of a shared
>symmetric key for encryption can acts as an authenticator.
>
>
>>for XML-Sig, I'd suggest:
>>
>>    "Second, a ciphertext envelope containing signed
>>     information is not secured by the signature.
>>     For instance, when an encrypted envelope contains
>>     a signature, the signature does not protect the
>>     authenticity or integrity of the ciphertext, even
>>     though the signature does protect the integrity
>>     of the plaintext."
>
>Now reads:
>>Second, an envelope containing signed information is not secured by the
>>signature. For instance, when an encrypted envelope contains a signature,
>>the signature does not protect the authenticity or integrity of unsigned
>>envelope headers nor its ciphertext form, it only secures the plaintext
>>actually signed.
>
>- Again, since my confusion on your point is still a valid warning, might as
>well retain both.
>- Again, since we're warning folks, doesn't hurt to extend the warning to
>any sort of 'envelope' (e.g., a base64 encoding).
>
>
>
>
>--
>Joseph Reagle Jr.

Received on Monday, 30 July 2001 09:55:07 UTC