X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/fa54fe1eda6977fc8aef0c154f8483e351e20bdd..f387fcb17a980fe165218d217b0187a8c279508a:/catcrypt.1

diff --git a/catcrypt.1 b/catcrypt.1
index aa410b8..56fe297 100644
--- a/catcrypt.1
+++ b/catcrypt.1
@@ -178,7 +178,8 @@ options, to generate the key.
 .TP
 .B ec
 This is the elliptic-curve analogue of
-.BR dh .  Use the
+.BR dh .
+Use the
 .B ec
 algorithm of the
 .BR key (1))
@@ -209,7 +210,8 @@ constructed by the raw KEM.  If there is no
 attribute then the
 .I hash
 in the
-.I kemalgspec is used; if that is absent then the default of
+.I kemalgspec
+is used; if that is absent then the default of
 .B rmd160
 is used.  Run
 .B catcrypt show hash
@@ -526,7 +528,7 @@ being sent somewhere other than standard output.
 .TP
 .B "DATA"
 The plaintext follows, starting just after the next newline character or
-sequence.  This is only produced if main output is being sent to
+sequence.  This is only produced if main output is also being sent to
 standard output.
 .TP
 .BI "INFO " note
@@ -542,7 +544,8 @@ All messages.
 All output written has been checked for authenticity.  However, output
 can fail madway through for many reasons, and the resulting message may
 therefore be truncated.  Don't rely on the output being complete until 
-.B OK is printed or
+.B OK
+is printed or
 .B catcrypt decrypt
 exits successfully.
 .SS "encode"
@@ -644,6 +647,18 @@ that, then \(en leaking intermediate values often voids security
 warranties.  But it does avoid the usual problem with separate signing
 and encryption that a careful leak by the recipient can produce evidence
 that you signed some incriminating message.
+.PP
+Note that
+.BR catcrypt 's
+signatures do
+.I not
+provide `non-repudiation' in any useful way.  This is deliberate: the
+purpose of signing is to convince the recipient of the sender's
+identity, rather than to allow the recipient to persuade anyone else.
+Indeed, given an encrypted and signed message, the recipient can
+straightforwardly construct a new message, apparently from the same
+sender, and whose signature still verifies, but with arbitrarily chosen
+content.
 .SH "CRYPTOGRAPHIC THEORY"
 Encryption of a message proceeds as follows.
 .hP 0.
@@ -681,4 +696,4 @@ That's it.  Nothing terribly controversial, really.
 .BR hashsum (1),
 .BR keyring (5).
 .SH AUTHOR
-Mark Wooding, <mdw@nsict.org>
+Mark Wooding, <mdw@distorted.org.uk>