[21265] in bugtraq
Re: crypto flaw in secure mail standards
daemon@ATHENA.MIT.EDU (Robert Bihlmeyer)
Fri Jun 29 17:46:04 2001
To: Richard Atterer <atterer@informatik.tu-muenchen.de>
Cc: bugtraq@securityfocus.com
From: Robert Bihlmeyer <robbe@orcus.priv.at>
Date: 29 Jun 2001 14:30:06 +0200
In-Reply-To: <20010628134639.E5144@atterer.net>
Message-ID: <87d77nqxip.fsf@orcus.priv.at>
MIME-Version: 1.0
content-Type: multipart/signed; boundary="----------=_993817848-740-5"; micalg="pgp-sha1"; protocol="application/pgp-signature"
------------=_993817848-740-5
Content-Type: text/plain; charset=us-ascii
Richard Atterer <atterer@informatik.tu-muenchen.de> writes:
> PGP and MUAs with PGP support should either make it very clear that
> the subject is not encrypted, or (ideally) a facility for encrypted
> message headers should be added to OpenPGP.
OpenPGP does not concern itself with these things. The relevant
standards integrating it with MIME (rfc2015 et al) however do, and
since the signed/encrypted part is just another MIME part, you can put
arbitrary headers there. Nowadays these part usually only has a
Content-Type header, but this is not AFAIK in any way required.
However MUAs must support that first, i.e. allow you to define
private headers in addition to the public ones, and be able to replace
message headers with those coming from inside a crypto envelope.
Example (The part prefixed with "& " is in reality encrypted):
From: nobody@anonymous.remailer.example.org
To: John Doe <doe@example.net>
Subject: <undisclosed>
[...more standard e-mail headers...]
Content-Type: multipart/encrypted;
protocol="application/pgp-encrypted"; boundary=foo
--foo
Content-Type: application/pgp-encrypted
Version: 1
--foo
Content-Type: application/octet-stream
-----BEGIN PGP MESSAGE-----
& From: Fred Smith <whistleblower@example.com>
& Subject: the sylvester memo
& Content-Type: multipart/mixed; boundary=bar
&
& --bar
& Content-Type: text/plain; charset=us-ascii
&
& Attached is a scan of the internal memo that proves the facts I
& talked to you about.
&
& --bar
& Content-Type: image/jpeg
& Content-Transfer-Encoding: base64
&
& [...]
&
& --bar--
-----END PGP MESSAGE-----
--foo--
--
Robbe
------------=_993817848-740-5
Content-Type: application/pgp-signature; name="signature.ng"
Content-Disposition: inline; filename="signature.ng"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7PIOB8g21h7wYWrMRAgWSAKDBD0McE2dl6sTTwxEmlxO0rf8U3ACguDKk
RaqieD7Uni0w6ZKtsfhNT5E=
=P4yy
-----END PGP SIGNATURE-----
------------=_993817848-740-5--
