ietf-openpgp
[Top] [All Lists]

Re: Shortcomings of current schemes (Was: One-pass signatures)

1998-07-27 07:52:47
-----BEGIN PGP SIGNED MESSAGE-----

In <19980727133359(_dot_)I20261(_at_)sobolev(_dot_)rhein(_dot_)de>, on 07/27/98 
   at 01:33 PM, Thomas Roessler <roessler(_at_)guug(_dot_)de> said:

To make a long story short: We should consider literal
data packets as AS IS data.  Their content MUST NOT be
interpreted by an OpenPGP implementation, but passed to
the user or invoking software for further inspection.
These programs MAY then interpret PGP/MIME content type
definitions and invoke an OpenPGP client to work on the
nested data.

Sounds good in theory but the problem is no one is doing so in any of the
current PGP implementations and doubtfull anyone will be any time soon.

Lets leave the MIME issue alone for right now and work with a simple PGP
ascii-armor example:

Take the example of a message that is clearsigned and sent to A. A
receives the message, signs and encrypts the message and forwards it to B.
When B receives the message and decrypts it he is presented with a literal
packet that in fact contains a PGP clear-signed message.

Now should B's software:

1. Assume that because it is a literal packet check no further (as per the
spec).

2. Check the literal packet anyway, as unless it is checked the contents
are unknown.


Also what should A's software do when presented with the original
clear-signed message to be singed & encrypted? Does it just dump the
entire clearsigned message into a literal packet (as current
implementations do) or should it somehow pre-process the message so the
receiving software knows that there is additional PGP data contained in
the message?

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
- ---------------------------------------------------------------
 
Tag-O-Matic: Windows NT?  New Technology?  I don't think so...

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNbyV749Co1n+aLhhAQHrWwQAsn1cJE0Q3XzGigak8x2ppnDWuKSIVdgW
3PaHI7CpQQxgstE72sv+InU7ots9fACQgYD9W/FEK8Y55pHavyofyDMYxqmlmCwi
cS1LExDhWtEnIlYCGnM7KZKGAIwry1UeqTlvUekEktleCP9oTw8EZ8Rn1IXr6ndZ
DfdMZ5gocaA=
=ckN/
-----END PGP SIGNATURE-----