ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[openpgp] PGP/MIME message mangling

2019-05-22 02:40:30
from [Daniel Kahn Gillmor] [Permanent Link] 
Hi people interested in OpenPGP and PGP/MIME--

I think anyone who has worked with PGP/MIME messages has seen some MTAs
break message structure or formatting in ways that make it difficult or
impossible to perform the correct cryptographic operations on the
message according to the specs.

The fact that the mangling MTA may not be operated by the party whose
message it is mangling makes it rather difficult to report the problem
and get it fixed.  That difficulty is exacerbated by not having a clear
reference for the problem.

Additionally, when some of those manglings become widespread or common,
some implementers craft workarounds based on examples of the
misbehavior.  But often these workarounds are ad-hoc or private -- they
aren't subject to review from the community, and they are tucked away in
code that isn't particularly visible, leading many implementers to
stumble upon similar problems independently and try to work around them
on their own.

I've just published a new draft that aims to collect examples of these
manglings, and recommendations about sensible ways to handle them safely
if you encounter them:

    https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling-00

Only one particular mangling is fully fleshed out in the -00 release
(I've named it "Mixed up" encryption), but a few more are pointed at in
TODOs.

If you have any examples of mangled messages sitting around -- in your
implementation's test suite, in your pile of bugs-to-be-reported, please
think of this draft as a place to collect them, as well as a place to
document how to most effectively work around these failures as they are
encountered by a friendly MUA.

My preferred goal, of course, is to get the MTAs to stop mangling
messages.  If this draft can be used as a reference for that kind of bug
report ("Your MTA appears to be mangling messages according to section
X.Y of this draft"), great!  But even if we succeed in fixing existing
implementations, mangled messages may linger indefinitely in archives,
so having a reference for how to deal with them safely will hopefully be
useful.

I welcome comments and feedback here on the list, and pull requests or
open issues at
https://gitlab.com/dkg/draft-openpgp-pgpmime-message-mangling

I hope this is useful work!

  --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Question on WKD, Key Discovery, Paul Wouters
Next by Date:  Re: [openpgp] PGP/MIME message mangling, Albrecht Dreß
Previous by Thread:  [openpgp] Question on WKD, Key Discovery, juga
Next by Thread:  Re: [openpgp] PGP/MIME message mangling, Albrecht Dreß
Indexes:  [Date] [Thread] [Top] [All Lists]