[Top] [All Lists]

Re: MIME media type literal packet in OpenPGP

2011-03-14 13:30:16

Hash: SHA1

I have two complaints about this proposal:

1. There is an already widely used way of encapsulating MIME content
into PGP messages, PGP/MIME (a.k.a. RFC 3156), and this proposal is not
compatible with it.

2. In this proposal, mime type would not be part of the hashed content
for digital signatures, meaning that it can be changed without breaking
the digital signature. This is dangerous. PGP/MIME does not have this

Comments on your comments, Daniel.

I think the word MIME is a misnomer, because it has nothing to do content. It 
has to do with data typing only. It's a way to say that a PGP blob in (e.g. a 
web page) is of a certain type. Without it, you have to infer type from the 
file name, which is suboptimal. All that it does is let you say that a PGP 
output has a certain media type explicitly.

If you're doing a MIME mail message, then yes, that's a much better way to 
express things. But if you're doing secured web content, especially dynamic 
content (think Web 2.0 etc.), then it's much better to put the exact media type 
in the blob, so it can be handled properly when the higher levels get it.

You're absolutely right that it's unsigned. That's unfortunate. It is also what 
we have to work with. It is, at least, covered by an MDC packet, which is 
better than nothing and likely good enough. On the other side of it, you don't 
have to get into trust issues, either, which is a plus. 

This grew out of some fantastic work that Vinnie did for secure Web 2.0 content 
using OpenPGP as the encryption framework. It let you do things like Facebook 
messages and lists that Facebook couldn't read itself.


Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii


<Prev in Thread] Current Thread [Next in Thread>