Differences

This shows you the differences between two versions of the page.

--- pgpfan:legends [2024/05/02 13:27] – [Misleading Legends Caused by EFAIL] This needs a good analogy b.walzer
+++ pgpfan:legends [2024/06/02 14:33] (current) – Signature stuff relevant to sec 5.2. b.walzer
@@ Line 93: / Line 93: @@
 Someone who did not dig through the actual EFAIL paper for the reference would end up with the impression that OpenPGP signatures were not effective against EFAIL class attacks and were generally weak. That is simply wrong.
+This possible misapprehension is very relevant here. If you accept that OpenPGP signatures are ineffective against EFAIL then you would think that the modification detection provided by the block cipher mode was the last chance to resolve EFAIL. As a result the discussion in section 5.2 would seen to be very important and relevant. Otherwise, if you knew that signatures were effective against EFAIL, things would be more nuanced. You would realize that all EFAIL attack messages would show up as unsigned (anonymous) and encrypted. Unsigned but encrypted messages are troublesome in more ways than just EFAIL. So you might consider solving the larger, more general, issue instead, possibly basing your solution completely on the protection provided by signatures. At that point the discussion in section 5.2 would become irrelevant.
+In fairness, it should be mentioned that the question of S/MIME signatures vs EFAIL is also somewhat nuanced. S/MIME provides two types of signatures. One "inside the envelope" and one "on the outside of the envelope". The proposed weakness is based on the outside signature. Presumably an implementation using signatures against EFAIL would only use the inside signatures. So there might be an argument here, should someone go to the trouble to develop it.
 ----