[cryptography] Is it just me or is this fundamentally broken?

Peter Saint-Andre stpeter at stpeter.im
Tue Mar 5 12:02:05 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/5/13 5:17 AM, ianG wrote:
> On 5/03/13 02:42 AM, Peter Gutmann wrote:
>> Quoting http://xmpp.org/extensions/xep-0027.html#signing:
>> 
>> Signing enables a sender to verify that they sent a certain
>> block of text. [...] The text that is signed MAY be the empty
>> string.
>> 
>> (There's no metadata or anything there, just a raw signature).
> 
> 
> 
> The crux of the problem is, what does the signature mean?  What is
> the claim that is being made by the key when it signs that data?
> 
> In the above, the sender verifies they sent a certain block of
> text.
> 
> Not much meat there, but we can try it.  If that's it, and the
> sender insists on sending "nothing" (perhaps in answer to a
> question to which the answer is "nothing") then the signer still
> needs a way to indicate "I'm sending nothing."  Elsewise the
> protocol mechanics of ACKs and so forth mean that the other side
> will continue to say "I'm not hearing nothing from you, please send
> nothing again..."  Over and over...
> 
> Without that understanding, we're floating.  It's like asking
> whether an empty beer glass is cheating in a drinking game, before
> we've established the rules of the game.

See my earlier reply. This technology is not actively used and we (the
XSF) will change the specification to Obsolete.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRNiUNAAoJEOoGpJErxa2py5YQAKLviu6cFf7dPnH8ADF66nIZ
/PpnuOEVHEcFsLgFaSwzdLVDUqnGl9JYmy7aSfptMm7JZW3JmsoMwWBJKSMCFezu
Z9zZ/6F84RVgzuMBCd4UXkG9Zrssot5kIWpT1/25kVraLH24W7zi6SHLOdTvpyjt
DoAj2Yy8qJrqGv4Ow8twtw8dkQJOcWmcpjOinstrpNtTqStEnaw2e2sQPeWpzqWa
5Zy0CYKo2+kpArB6hi8ozTOJrXX2q/kCpF4akJS9RWgjdrKk6dnGmArD94eqjtIm
LQkjuNOk7cCwbXfS4I5rXrAoowHL7VhywFZMgEnEkdCYCFlH0NYidgdAWKdHZbYC
sA5qHM9V+G5QjIwM+fBSDsMZmQuMnKLg1R076WwVorca7fj52/oV2SYtZ+of+3wo
9sd1aYTGR/m26mXQoGQOf/0XH4GCTzdPSmFjOmVXBdtB33aaKyxHgjrL2YvgFOg1
x0EzGcnFqXwm3bT6qPPLKTYWo6l1tf0Bwma6l68UM2nhhM4nmZz4wqZ/ociLlj/d
HYj+x6Ay27mwNI3+TTBdyZhaxmLJ/77i3yt+QGCCxsJ4dz0GKnNti+MfdHaCDaDk
VOvDx+sagbc9Ol3jp3CmkRoimCrgzsmfXDo3yVP9vdjcu1utK3png4J+0EOCIoKY
2hmzFyuahyZfY5EzhbW3
=IyEd
-----END PGP SIGNATURE-----



More information about the cryptography mailing list