More information about encrypted parts

More information about encrypted parts

[Vincent Bernat]

Hi !

Currently, when a part is encrypted, the button states : "[[PGP
Encrypted Part:OK]]". Would it be possible to add the name of the
"encrypter" and the "trust", like for the signature ? 

If I would to fake the identity of someone, I just have to forge the
from and encrypt with some key.

Re: More information about encrypted parts

[Andreas Fuchs]

[-- Attachment #1: Type: text/plain, Size: 731 bytes --]

Today, Vincent Bernat <bernat@scientist.com> wrote:
> Currently, when a part is encrypted, the button states : "[[PGP
> Encrypted Part:OK]]". Would it be possible to add the name of the
> "encrypter" and the "trust", like for the signature ? 

This is done already in CVS Gnus together with gpg.el (IIRC). Which
version are you using?

> If I would to fake the identity of someone, I just have to forge the
> from and encrypt with some key.

That was my reasoning as well, but having that much information in a
button (rendered in bold,etc) is bad for readability. You get the
buttons with trust and signer as labels, but the buttons themselves are
disabled by default.


-- 
Andreas Fuchs, <asf@acm.org>, asf@jabber.at, antifuchs

Re: More information about encrypted parts

[Werner Koch]

On Tue, 20 Nov 2001 23:28:46 +0100, Vincent Bernat said:

> Currently, when a part is encrypted, the button states : "[[PGP
> Encrypted Part:OK]]". Would it be possible to add the name of the
> "encrypter" and the "trust", like for the signature ? 

There is no way to know the "encrypter", everyone can send you an
encrypted message without revealing his identity.  Or do you mean the
key IDs of the intended recipients (there are often more than one)?

> If I would to fake the identity of someone, I just have to forge the
> from and encrypt with some key.

The only way to *guess* the "encrypter" is to look at the signature if
the message is signed and encrypted.  But there is no way to protect
against someone who send you an encrypted message by catching a signed
one and adding the encryption layer.

If you want to send a message and tell the recipient that _you_ have
encrypted it, write a note about this into the message, sign and
encrypt. 


Ciao,

  Werner

Re: More information about encrypted parts

[Vincent Bernat]

OoO La nuit ayant déjà recouvert d'encre ce jour du mardi 20 novembre
2001, vers 23:42, Andreas Fuchs <asf@void.at> disait:

>> Currently, when a part is encrypted, the button states : "[[PGP
>> Encrypted Part:OK]]". Would it be possible to add the name of the
>> "encrypter" and the "trust", like for the signature ? 

> This is done already in CVS Gnus together with gpg.el (IIRC). Which
> version are you using?

I am using 20 november version. And, unless I "push" the button, I
just get info about encryption, even if the message is encrypted and
signed. I have to push the button to know that this message is
encrypted and signed by X.

If the message is just signed, I get all information I want.

Re: More information about encrypted parts

[Vincent Bernat]

OoO En cette matinée ensoleillée du mercredi 21 novembre 2001, vers
09:16, Werner Koch <wk@gnupg.org> disait:

>> Currently, when a part is encrypted, the button states : "[[PGP
>> Encrypted Part:OK]]". Would it be possible to add the name of the
>> "encrypter" and the "trust", like for the signature ? 

> There is no way to know the "encrypter", everyone can send you an
> encrypted message without revealing his identity.  Or do you mean the
> key IDs of the intended recipients (there are often more than one)?

In fact, I mean to display information about the "signer", since an
encrypted message is generally signed too. If there is no signature,
this can be stated too (who will want to encrypt without signing ?).
-- 
I WILL NOT DRIVE THE PRINCIPAL'S CAR
I WILL NOT DRIVE THE PRINCIPAL'S CAR
I WILL NOT DRIVE THE PRINCIPAL'S CAR
-+- Bart Simpson on chalkboard in episode 7F06

Re: More information about encrypted parts

[Werner Koch]

On Wed, 21 Nov 2001 10:46:51 +0100, Vincent Bernat said:

> In fact, I mean to display information about the "signer", since an
> encrypted message is generally signed too. If there is no signature,
> this can be stated too (who will want to encrypt without signing ?).

Given all the hassles with DMCA & Cie; researches who figure out new
vulnerabilities may want to tell the vendor this anonymously but
still encrypted to give them a few days to fix the problem.

In jurisdictions where a digital signature is equal to a handwritten
one, one might not want to sign every mail - someone might take this
as a valid tender.

And there are of course other reasons to send anonymous mail.  Well,
it is still possible to create a dummy signing key as a workaround.


Ciao,

  Werner