[Top] [All Lists]

Re(2): The subject line leakage problem

2001-12-18 11:11:24

The subject line issue is not a problem in the X.400 world.  SMTP carries 
the subject line is in the envelope.  The corresponding X.400 protocols 
(P1, P3, and P7) do not.  In X.400, the subject line is part of the content.

X.400 does have similar issues with TO, CC, and FROM.  Both SMTP and 
X.400 would like to integrity protect these.


X.400 also carries TO, CC, and FROM in the content.

I would like to steer this discussion toward a signed attribute (a CHOICE 
of IA5String and UTF8String (for international characters that are coming 

Since ASCII characters are encoded identically in a UTF8String and an IA5String 
there is no need to introduce a CHOICE - keep it simple and just define the 
syntax as UTF8String.

My initial cut at the header lines that ought to be included are FROM, 

When displaying the originator of a signed message. S/MIME clients should 
display the Name + RFC822Address from SubjectAltName from the Certificate that 
signed the message in place of the FROM from the RFC822 Header. They should do 
the same e.g. when constructing a reply. So I can see little point adding the 
FROM into this proposed signed attribute. And I think that Paul Hoffman's 
proposal (reproduced below) is more general, and altogether a better solution.

Instead, how about encouraging the use of multipart/mixed which 
starts with text/rfc822-headers. Any headers in that first part are 
to replace the same headers on display only.