In <01LGVF02QKE200005R(_at_)mauve(_dot_)mrochek(_dot_)com>
ned+ietf-822(_at_)mrochek(_dot_)com writes:
What's really needed is a generic way of computing a hash of a MIME object that
takes as many of these issues as possible into account. I've had the
specification of such a thing on my to-do list literally for years but I never
seem to find the time to finish writing it up.
Basically what you want to do is define a hash methodology that computes
separate hashes on leaf nodes in the MIME object and then combines those
separate hashes along with hashes of canonicalized headers and the MIME
structure itself in a specific way to arrive at a single result. The
advantages of this approach are numerous:
(1) Encodings can be changed without breaking signatures. (This can help
with handling whitespace, and it makes it possible for signatures to
survive 8->7 conversion.)
(2) Boundary markers can be changed without breaking signatures. (How
to handle preamble and postamble text is an interesting side issue here.)
(3) A message store can cache hash values for large leaf objects and use
the cache to quickly sign very large messages.
(4) Some sorts of header mangling can be tolerated.
So, is it time for me to finish the specification for this? Does anybody
care, and more to the point, will anybody actually implement it?
You might like to look at
http://www.imc.org/ietf-usefor/drafts/drafts/draft-lindsey-usefor-signed-01.txt.
ALthough it was designed to solve a different problem, it does include a
vicious canonicalizing algorithm for header fields (though perhaps not
vicious enough).
Also, for body parts it recommends using Content-MD5 for computing hashes
of bodies, and then including the Content-MD5 field in the overall
signature so that, if something fails, you have a better chance of finding
which of various parts of the message it failed in.
Also, as regards suggestions for an application/rfc-822 type, there
already exists (registered with IANA) an application/news-transmission
which was intended for essentially the same purpose - namely to transmit a
complete newsd article without fear of gratuitous munging by intermediate
sites.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave,
CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5