On Sun, 18 Jan 2004, Bruce Lilly wrote:
Could somebody outline a process whereby a single field or group of
fields in a message could be signed, with the following conditions:
1. the mechanism is robust w.r.t. common types of message munging
(reordered fields, possible dropping of fields (obviously, let's
assume that the field that is signed isn't dropped), addition of
trailing whitespace, etc.)
This is where I think multipart/signed got it right and is a big win (he
says with all humility :-). There are only two real requirements.
the object to be signed must be canonicalized
it must be universally representable
There's a couple details in each of those but basically you create a
7bit opaque object to sign and transfer from the originator to the
recipient. That object is pushed one level inside the message, inside
the outermost multipart/signed.
Now, if you're looking to add a signature (or some other cryptographic
trace value) to the outermost headers and have it apply over the entire
message (including the outermost headers), then you've got a really hard
problem.
Actually, I don't think "really hard problem" begins to describe just
how hard it would be. I can not imagine why anyone would want to do
such a thing. It just isn't practical in today's Internet email
environment.
S/MIME and PGP/MIME inherit this to the extent they use
multipart/signed.
2. the mechanism is not subject to replay attacks (e.g. copying the
signed field from one message to another)
This is a separate requirement, easily included with a protected Date:
and/or nonce available.
I believe that S/MIME and PGP/MIME signed messages are robust w.r.t.
those criteria, since the signed message is itself transfer encoded
(if necessary) and encapsulated via MIME;
They can be robust with respect to replay but are not by default.
Jim