This article is a discussion and criticism of various approaches to encryption and signing:
* Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML
I will only discuss the article to the extent it applies to OpenPGP over email.
This article was originally presented as a paper 20 years ago (2021). I have not been able to find any examples of this attack being used in anger. Since the article does not present a demonstration, it is entirely possible that this attack has never been used even once. So chances are that this is not some sort of ongoing crisis…
The article begs the question of risk by assuming that a user might make a particular error of perception based on a misunderstanding of how OpenPGP protected email works. The article does not even state exactly what this error would be.
Surreptitious forwarding works like this:
From this we can see that the user error occurs at the last step. The only way your forwarded signature could contribute to the deception is if the third party incorrectly assumes that the “To:” field of the email was part of the material signed by you. Otherwise this is just an email forgery that would work just as well with an unencrypted and unsigned email.
The article actually disparages the idea that the root cause here could be an understanding error and casts off preexisting opinions to that effect. It then moves ahead based on the assumption that a purely technical solution is possible and desirable.
We can also see the effect of the encryption. The encryption initially limits who has access to your signed message. If this was an unencrypted and signed message then eavesdroppers could also surreptitiously forward your message.
So how likely is it that a user would make this particular error?
Email was set up to be an analogy of the preexisting and well known physical paper mail system. So we have a to and from “address”, a “subject” line, the “carbon copy” (CC), “attachments” and so on. OpenPGP fits into this analogy by adding privacy (the envelope) and signatures.
With paper mail the signature only applies to the writing on the paper contained by the envelope. It does not apply to the writing on the outside of the envelope. The email To:
field is considered to be on the outside of the envelope. So based on hundreds of years of cultural context, no one would be expected to consider the destination address part of the signed material.
Now there is an issue if it is not obvious to the user what is in and what is outside of the envelope. This would mean that it would also not be clear which parts were or were not encrypted. So it is an issue that simply can not be left unaddressed.
Let's consider the examples given by the article of messages that you might send to the untrustworthy someone:
The risk here falls mostly on the third party. They might be tricked into revealing feelings for you that they might otherwise of kept to themselves.
Your mischievous message recipient can't really embarrass you without also revealing that they are the object of your affection. If they are willing to do that then only overt forwarding is required. So this has to actually be an attempt at matchmaking at the middle school level. The person you originally sent the message to would be using their surreptitious forwarding super power for good rather than evil.
This is the most effective example, but only because of the topic. The existence of a signature will make no difference to the third party recipient, They will address the issue or not depending on their nature. The ILOVEYOU email worm is a good example of the principle.
Here the goal is to get you in trouble and/or divert suspicion from the person who actually did the forwarding.
In practice, if your management did not like you then they would accept the email forgery as valid and not bother with the question of the signature before terminating you. If they did like you then they might accept the possibility of the email forgery. After that it would be a relatively easy to determine that your signature only meant that you had made the message and not anything about who you had sent it to.
This seems unlikely to work. Presumably someone would show up and demand money based on your signed email. Since an IOU is an informal agreement, and you did not actually incur the debt to this someone, then you would informally tell them to go away and not bother you anymore.
If this someone attempted to make a claim in court based on your signature they would have to prove that the “U” referred to them … which they could not do. That would also apply to the actual creditor who committed the fraud. This might be a problem for them if you still owed them the money.
Generally the difficulty with exploiting surreptitious forwarding is that you would need someone who understood and believed in the value of email signatures but at the same time did not know their scope. Such people must be very rare.
Easiest is just to refer to the intended recipient in the body of the email. Normally there will be enough context to do this implicitly.
The article suggests a couple of ways to prevent surreptitious forwarding and I have run across another proposal that was probably made after the paper was published. All work by linking the destination of the encryption with the signature somehow. The ultimate intent seems to be to break the signature if the destination of the encryption changes. This does not strike me as a very good approach.
Where we used to have a simple user education problem understandable by most anyone, we now have a difficult documentation problem that involves an obscure technical element. That is assuming that it is even possible for the user to determine what happened to cause their signature to break. Unencrypted but signed messages would inexplicably not have this protection available and so this would have to be documented in a useful way to the user as well.
The user no longer is allowed to choose if they want their signature to include the destination of the message. This seems disrespectful to the user.
Not all forwarding is undesirable. Linking the signature to the encryption destination would break signatures in an encrypted email list system that decrypted incoming messages to the list and reencrypted them to each individual user.
Surreptitious forwarding is not a problem for encrypted email and does not really need to be solved. There are proposed solutions out there that would make things worse.