On Wed, Jan 12, 2011 at 5:52 AM, David Shaw <ds...@jabberwocky.com> wrote: > On Jan 11, 2011, at 3:09 PM, Nicholas Cole wrote: > >> On Tue, Jan 11, 2011 at 12:19 PM, <d...@geer.org> wrote: >>> >>> If one is a purist, then one wants sign>encrypt>sign >>> >>> See http://world.std.com/~dtd/#sign_encrypt >> >> That is a really interesting paper. Did the OpenPGP protocol ever >> include a fix for the attack they describe? > > No. It was generally felt that this was more of an attack on the user of > crypto, rather than on the crypto itself. > > See this thread from when the paper was first published: > http://www.mail-archive.com/cryptography@wasabisystems.com/msg00259.html
That thread is clearly right about the bulk of the paper, which is clearly an attack on the user of the crypto. Signing ambiguous messages is not a good idea! But what about the suggestion they made in section 1.2 about not signing crypt texts? Am I right that openpgp always encrypts signed text, rather than signing encrypted text, and so is not vulnerable at all? Best wishes, Nicholas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
