[8882] in cryptography@c2.net mail archive
Re: crypto flaw in secure mail standards
daemon@ATHENA.MIT.EDU (Bram Cohen)
Sat Jun 23 14:53:41 2001
Date: Fri, 22 Jun 2001 14:41:58 -0700 (PDT)
From: Bram Cohen <bram@gawth.com>
To: "Jeffrey I. Schiller" <jis@mit.edu>
Cc: Derek Atkins <warlord@mit.edu>, Don Davis <dtd@world.std.com>,
Crypto List <cryptography@wasabisystems.com>
In-Reply-To: <20010622150033.C424@mit.edu>
Message-ID: <Pine.LNX.4.21.0106221435560.9644-100000@ultra.gawth.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 22 Jun 2001, Jeffrey I. Schiller wrote:
> I believe it is important that message signatures outlive the
> message's encryption layer.
Currently, if you are compromised at some point then an attacker can go
back to the mail archives and read every message you've ever sent or
received. With separate encryption keys, it would be possible to achieve
forward secrecy, so that the old messages would be unreadable to everyone,
including you.
Forward secrecy is arguably a more important property of mail to have than
authentication, and is much easier to build properly, since it doesn't get
into the issues of identity. Unfortunately, none of the current mail
standards support it at all.
In fact, forward secrecy is all that Disappearing Inc. did - does anybody
know how they're doing?
-Bram Cohen
"Markets can remain irrational longer than you can remain solvent"
-- John Maynard Keynes
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
