On 2006-07-19 18:02:16 -0500, Brian G. Peterson wrote:
On Wednesday 19 July 2006 16:08, Thomas Roessler wrote:
So, the current OpenPGP/MIME spec is already relatively
strict and actually takes away some of the degrees of
freedom that the original PGP/MIME left open. Would you
care to elaborate a bit more about what points you'd like
to clean up?
Look back a ways in the archives to the various tabled
discussions on OpenPGP/MIME and the other variants
(inline/partitioned) for email. I remember significant
issues being discussed around offline signature
verification on binary attachments, signatures on signatures
(chain of evidence), and interoperability issues on the
layout of MIME parts.
So, summarizing from a round of reading through the archives:
- A requirement was given that certain attachments would have
to be verified individually. This can be achieved by
packaging an individual attachment into a multipart/signed
and having a signature for just that attachment. Of course,
there's nothing that would keep the sender from wrapping the
entire message into another level of multipart/signed.
(Incidentally, I don't understand the use case that motivates
this requirement. I'd like to hear more about it.)
I'm not aware of any OpenPGP/MIME implementation that would
do this on the sending end, but this is not a shortcoming of
the format.
Please also note that the "individual" signatures aren't
necessarily the better ones in all contexts: For instance, I
rather wouldn't have separate signatures on the parts that
together make up a multipart/alternative or
multipart/related.
- I haven't seen any recent interoperability issues on the
layout of MIME parts, unless this is supposed to allude to
Outlook's general inability to deal with just about anything
MIME. This does not strike me as something that OpenPGP/MIME
should be kludging around.
- Signatures on signatures are easily done, by wrapping one
multipart/signed into another one. In the bad old PGP
tradition of not attributing semantics to anything, this
should be all that's needed.
- I've skimmed through the documentation of what's now called
"partitioned" mode; frankly, using well-known attachment file
names to signal the relationship between the different body
parts that form a multipart makes me cringe, as does having
fixed file names for the signature of "the RTF attachment".
This is wrong on an unhealthy number of levels.
Also, please note that the partitioned format seems not to
sign the content-type of the signed material, thereby
subjecting it to attacks based on having material that admits
multiple interpretations. (Think postscript source code vs.
rendered postscript -- I'd send the former as text/plain, and
the latter as application/postscript.)
Right now, I don't see any particular motivation for changing
the existing OpenPGP/MIME RFC. I do see use cases for possibly
using the existing spec in a different way in some cases.
One thing that I'm wondering about for the packet-based PGP
format (though it's probably too late for this) is whether
signatures should include an indication of the intended media
type of the signed material.
One could do this by either extending the literal packet, or by
specifying a content-type notation packet.
Considering the interoperability impact of the two approaches,
the notation packet is probably the right way to go.
Regards,
--
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.