RE: The subject line leakage problem
2001-12-27 06:07:16
All,
I for one would be all in favor of putting in place a
fully spec'd kosher solution here.
However the issue of introduction and backwards compatibility
need to be carefully considered. We don't want to have people not
implement the full fix because they are waiting for others to deploy.
I would like to keep the hack on the table as an interim
patch for the time being. Certainly the sooner we stop leaking
subject lines the better
I don't consider the security of any other headers to be
particularly serious. Routing info is disclosed as a matter of course
and the existence of mailling lists and byzantine forwarding makes
the intended recipient issue impossible to resolve.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker(_at_)verisign(_dot_)com
781 245 6996 x227
-----Original Message-----
From: Housley, Russ [mailto:rhousley(_at_)rsasecurity(_dot_)com]
Sent: Tuesday, December 18, 2001 9:42 AM
To: Hallam-Baker, Phillip
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Re: The subject line leakage problem
Phil:
Thanks for raising this issue.
After the intended-recipients discussion, it was clear to me
that several
RFC 821 header lines needed various forms of protection. The
level of
automated checking is different for each of them. Some need
confidentiality, and others do not (and cannot without
disrupting the mail
delivery).
I would like to steer this discussion toward a signed
attribute (a CHOICE
of IA5String and UTF8String (for international characters
that are coming
soon)). The attribute would contain a subset of the header lines.
My initial cut at the header lines that ought to be included
are FROM, TO,
CC, SUBJECT, and DATE. So, for Phil's message that started
this thread,
the attribute would contain:
From: "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com>
To:
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: The subject line leakage problem
Date: Mon, 17 Dec 2001 10:34:39 -0800
I think that the content-hints attribute defined in RFC 2634
should be used
to carry the real subject line when the RFC 821 header
carries a masked
subject line.
Russ
At 10:34 AM 12/17/2001 -0800, Hallam-Baker, Phillip wrote:
All,
One of the ongoing problems with people using PGP
is that people put
confidential information in the mail subject lines, eg:
Subject: Proposed purchase of Excite(_at_)Home
Subject: Your STD test results
Subject: Planned head count reduction
etc.
So over the years there have been plenty of fixes involving
CMS encrypted
attributes etc. which gets into the rat hole of what other
headers to add
in.
So instead of that how about the following fix:
1) A Best Current Practice Draft that says
2) Clients SHOULD offer users the option of replacing the
subject line on
confidential messages and carrying the subject as the first
line in the body
of the message.
So the above message would become
Subject: Confidential
Subject: Confidential
Subject: Confidential
And when opened we get something like:
Subject: Confidential
Subject: Proposed purchase of Excite(_at_)Home
Alice,
Yadda Yadda Yadda ....
So, no need for any modification of existing specs, complete
backwards interop and the bug in the spec gets fixed.
Phill
Phillip Hallam-Baker FBCS C.Eng.
Principal Scientist
VeriSign Inc.
pbaker(_at_)verisign(_dot_)com
781 245 6996 x227
Phillip Hallam-Baker (E-mail).vcf
Description: Binary data
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re(2): The subject line leakage problem, (continued)
Re(2): The subject line leakage problem, Jim Craigie
RE: The subject line leakage problem, Housley, Russ
Re: The subject line leakage problem, Housley, Russ
Re: The subject line leakage problem, Housley, Russ
Re: The subject line leakage problem, Housley, Russ
RE: The subject line leakage problem,
Hallam-Baker, Phillip <=
Re: The subject line leakage problem, Housley, Russ
Re: The subject line leakage problem, Housley, Russ
Re: The subject line leakage problem, Housley, Russ
|
|
|