Am Fr 03.01.2014, 00:33:51 schrieb Doug Barton: > On 01/02/2014 09:35 PM, Hauke Laging wrote: > | I just noticed that you can easily be deluded about an email being > | encrypted: That you receive an encrypted mail does not mean that it > | was sent encrypted. An adversary may encrypt a non-encrypted message > | (which he has intercepted) in order to create more trust in the > | message for the recipient: If you receive critical information and > | are aware that it has not been encrypted then you may react > | differently from the case where you are sure that is was encrypted. > > This threat model doesn't make a lot of sense, except for very naive > users who cannot distinguish the importance of a message that is > encrypted vs. a message (encrypted or not) which is signed.
I am quite sure you have misunderstood something. Sorry if I didn't make myself clear. Do you agree that it is (or, depending on the content, can be) an important information whether a message was encrypted by the sender (and for which key)? How can it make little sense to provide this information? Whether it is more important to encrypt a message or to sign it differs a lot with the content. Thus I do not understand your explanation of importance. This is similar to SSL/TLS without client negotiation: The client knows (or: can know) whether it is encrypting for the right server. But the server cannot know whether the legitimate client has started the connection or an MitM attacker. If the server demands certainty about that then it has to require the use of client certificates. But currently there is (AFAIK) no such thing as an analog for the client certificate in the OpenPGP world. The certificate itself is already there, of course, but it is not yet used in a way providing security for the recipient about the confidentiality of the message. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
