[Cryptography] Does PGP use sign-then-encrypt or encrypt-then-sign?
James A. Donald
jamesd at echeque.com
Sun Jan 26 19:26:18 EST 2014
On 2014-01-27 08:44, Peter Todd wrote:
> You're making a lot of assumptions about what users actually need.
Not making any assumptions.
Authentication always needed, to prevent substitution attacks.
Signature seldom needed.
Those are facts, not assumptions. Always you want the recipient to know
that you wrote the message, and Mallory did not write the message, so
that Mallory does not inject himself into the conversation, but you
seldom want the recipient to be able to prove this to someone else.
> You
> are also forgetting that the most important thing a security system can
> do is communicate accurately to those users about what guarantees it
> actually provides so they can make that decision for themselves.
We cannot unload all that decision making on the end user. If we expose
all that complexity to the end user, he is going to run away screaming.
We have to set reasonably defaults, which 99% of users, 95% of
programmers, and 95% of cryptographers lack the comprehension to ever alter.
And the reasonable default is authentication but no signature.
> What's interesting is that in the real world message contents are
> generally regarded as sufficient basis for non-repudation anyway;
There is a word for that: "verbal"; meaning, not the spoken word, but
that a policeman tells the court that you admitted to the crime. Courts
and prosecutors and the New York Times invariably pretend to believe
policemen, but no one else does.
More information about the cryptography
mailing list