On 5/4/19 4:10 PM, Albrecht Dreß wrote:
On 30.04.19 14:29, ilf wrote:
https://github.com/RUB-NDS/Johnny-You-Are-Fired
While testing the MUA Balsa <https://pawsa.fedorapeople.org/balsa/>
using the proof-of-concept messages provided on Github, I noticed that
many (most? all?) of the RFC 3156 message parts are not recognised by
it. Looking at the message source (e.g. “Attack Class 'MIME', Test 'M1'
(PGP/MIME)”), it appears that the header
Content-Type: multipart/signed; boundary="BOUNDARY";
protocol="application/pgp-signature"
is missing the “micalg” parameter. However, RFC 3156, sect.. 5 states that
OpenPGP signed messages are denoted by the "multipart/signed" content
type, described in [RFC1847]
which defines in sect. 2.1
Required parameters: boundary, protocol, and micalg
Consequently, Balsa (and maybe other MUA's, too) simply ignores such
multipart/signed parts as they don't comply with the standard.
Did you omit the parameter intentionally, i.e. did I miss something
interpreting the standards (typically, the value is never used), or are
these proof-of-concept messages broken?
This is just because these are minimal test cases developed by hand.
Adding the parameter should be fine.
Thanks for your additional testing! For everybody else: Albrecht posted
the test results on the balsa mailing list:
https://mail.gnome.org/archives/balsa-list/2019-May/msg00000.html
Thanks,
Marcus
--
Dipl.-Math. Marcus Brinkmann
Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum
Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp