Requirement to Warn of Surreptitious Forwarding

Don Davis has recently presented a paper on "surreptiouis forwarding", as 
discussed on the list last year, and I think it deserves a few sentences in 
the requirements/spec. Consequently, I propose the following for the 
requirements (and a variant for the spec). Suggestions/tweaks are welcome.

5.3.3: The specification must warn users of "surreptitious forwarding" 
[Davis] whereby the recipient of a signed-then-encrypted message incorrectly 
infers that their status as a recipient, which was not signed, was also 
secured because both items exist in an "confidentially" encrypted envelope. 
For example, Alice signs the content of a message, then encrypts it with the 
intent that only Bob see it. Bob (wanting to embarrass Alice) might 
re-encrypt the signed message in Charlie's key and send it to him; Charlie 
might now think that Alice sent him this message since it has her signature! 
Charlie confuses the authenticity resulting from signing the recipient 
(which Alice failed to do) with the confidentially that *can be* provided by 
encryption (which Bob violated by re-transmitting the message).

[Davis] Davis. Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML. Usenix 2001.

Joseph Reagle Jr.       
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair
W3C XML Encryption Chair

Received on Monday, 25 June 2001 13:51:51 UTC