Vincent Breitmoser <***@my.amazin.horse> writes:

>In some more detail:
>https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
>
>[...] Signed-Only Mails are Useless [...]

Yup, and it's for exactly the reasons given there that the S/MIME WG decided
many years ago not to sign messages sent to the list. Courts, similarly, rule
on the intent of the signer, not some attached bag of bits (see e.g. Steven
Mason's excellent "Electronic Signatures in Law"). So while I wouldn't go so
far as to call them harmful, I'd agree that they're mostly useless, unless
you're using one to make some special point. Even then, if it's for legal
purposes, a court will look at almost everything but the signature when
deciding on its effect.

Peter.

On 11/29/2016 10:18 AM, Vincent Breitmoser wrote:
> In some more detail:
> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
>
> I received positive as well as negative feedback about this, and I'd
> love to hear more thoughts about it

Confidentiality is not a requirement for a number of my use cases, but
integrity control (including authentication) is. Clearsigned messages
can make archiving easier, and allow for sharing of information across
groups, while still maintaining it is in non-modified form from an
authorized party.

Incidentally I do request confirmation through signed media on a
context-dependent basis in the event of receiving non-signed email.

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Nosce te ipsum!
Know thyself!

Vincent Breitmoser <***@my.amazin.horse> writes:
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.
>
> In some more detail:
> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html

Perhaps you don't see the use cases, but I see many every day: signed
e-mail messages for e-mail based manipulation of databases (e.g., bug
trackers, auto-builders, deployment systems). Clearsigning is
particularly useful because it lets me CC others (they see the command
language, have an opportunity to learn it, question my action---the
social setting of e-mail works very well for interaction with this sort
of command language).

I suppose I could just clearsign a region of a text e-mail, but (a) that
means I need an even more complex UI on mobile devices, and (b) I don't
trust my mail chain not to screw up the formatting---which is part of
why we have PGP/MIME in the first place. The next-best alternative is
a web interface, but that removes the ability to manage it through
mail---with all the threading and conversation conventions that come
with it.


I'm also curious about the UI: do you expect to only offer
(encrypted+signed) and (plaintext)? If there are separate toggles for
encryption and signature anyway, what's the UI benefit?

-Brian

On Tue, Nov 29, 2016 at 10:18:37AM +0100, Vincent Breitmoser wrote:
> Hi all,
>
> (cross-posting on openpgp and messaging mls)
>
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mails.
>
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.
>
> In some more detail:
> https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
>
> I received positive as well as negative feedback about this, and I'd
> love to hear more thoughts about it.

I work for a company where all mail needs to be signed. If someone
wants me to install an SSH public key on a server, I need to be certain
that the person is who they say they are. Furthermore, if one of the
system administrators sends an announcement email to the all-users list,
encrypting it to all possible employees at the company is not practical.
Signing it is still useful, especially if it includes something like a
Wi-Fi configuration file that people might use on their systems.

I use K-9 Mail for personal and work purposes, and I rely immensely on
the ability to send signed-only emails, often to mailing lists. I think
that's an extremely common and important use case that we shouldn't
forget about. Integrity is important even in cases where
confidentiality is not.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204

Am 29.11.2016 um 10:18 schrieb Vincent Breitmoser:
> Hi all,
>
> (cross-posting on openpgp and messaging mls)
>
> during my work on bringing OpenPGP to K-9 Mail, I found myself
> reevaluating a lot of things. This time it's about signed-only mails.
>
> In short, my conclusion so far is that signed-only mails are very rarely
> useful, they are holding OpenPGP back as a solution for encrypted
> e-mail, and in the interest of usability we should not roll them out in
> email crypto solutions on equal terms with encryption.

I don't think signed only emails are useless. In my personaly opinion I
would love to see all companies sending out signed emails that contain
invoices.
If any company would change their email addresses or someone from
another department sends me an email, I would know that this is
(presumably) not a phishing attack. (At least was sent from someone
within this company which gives me some more trust in the reliability of
its contents.) At the moment I receive an email with a sender address
that might or might not belong to the company. How can I know?
Sure, the company had to put the fingerprints of their key(s) on their
website or tell it on the phone and I would have to check it, but that's
not a very big problem.
Maybe I miss something but, in this case signing seems a good idea to me.


Best regards
Alex Strobel
www.gpg4o.com

Date: Tue, 29 Nov 2016 09:25:45 +0000
From: Peter Gutmann <***@cs.auckland.ac.nz>

Vincent Breitmoser <***@my.amazin.horse> writes:

>In some more detail:
>https://k9mail.github.io/2016/11/24/OpenPGP-Considerations-Part-I.html
>
>[...] Signed-Only Mails are Useless [...]

Yup, and it's for exactly the reasons given there that the S/MIME
WG decided many years ago not to sign messages sent to the list.
Courts, similarly, rule on the intent of the signer, not some
attached bag of bits (see e.g. Steven Mason's excellent "Electronic
Signatures in Law"). So while I wouldn't go so far as to call them
harmful, I'd agree that they're mostly useless, unless you're using
one to make some special point. Even then, if it's for legal
purposes, a court will look at almost everything but the signature
when deciding on its effect.

Courts are not the only imaginable threat model for nonrepudiation of
a sender's message[1].

End-to-end authentication is important for preventing forgery of
conversations between two parties, but of the two ways to accomplish
that -- signatures, where anyone can verify, vs authenticators, where
only recipient can verify -- signatures work against the sender's
interest with no benefit over authenticators in the vast majority of
private messages.

Unfortunately, OpenPGP doesn't have public-key authenticators -- nor
authenticated encryption, and likewise S/MIME[2] -- so it's kludged up
by an ad hoc composition of signature and encryption that fails to
bind the sender and recipient, which has long been known to enable the
recipient of a private message to resend it for comic effect or
worse[5].


[1] Rob Graham, `Politifact: Yes we can fact check Kaine's email',
Errata Security blog, 2016-10-23.
http://blog.erratasec.com/2016/10/politifact-yes-we-can-fact-check-kaines.html

[2] Except perhaps for static-static DH mode described in RFC 2631[3],
but I've never seen evidence that anyone has ever used it in practice,
and have seen evidence of avoiding it[4].

[3] Eric Rescorla, `Diffie-Hellman Key Agreement Method', RFC 2631,
June 1999.
https://www.ietf.org/rfc/rfc2630.txt

[4] `The following features are lower in priority and are not likely
to be included in version 1.0 [of the Mozilla S/MIME toolkit]: CMS:
Static-static Diffie-Hellman Key Agreement Protocol (SSDH) (RFC2630
12.3.1.1)'
http://www-archive.mozilla.org/projects/security/pki/nss/smime/
[retrieved 2016-11-29]

[5] Don Davis, `Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM,
PGP, and XML', 2001-05-05.
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html