Suggestion for "From:" field below,
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Bonatti,
Sent: mercredi 1 mai 2002 20:15
To: Blake Ramsdell
Cc: IETF SMIME WG
Subject: RE: Protecting fields via message/rfc822 and merging issues
See embedded comments below.
b) Discarding the outer 822 message and looking only at the inner
fields works provided that the inner message is complete. However,
it does not work if only a partial list of fields is included in the
inner message. Also, since we negate the usefulness of the outer
message in all cases, we strongly encourage that it be a blank
"dummy" message. This would effectively require the
application to do security processing even to display
the originator, subject line, etc. -- fields normally
shown in a mailbox view. Blake also correctly pointed
out that this would squash useful headers like "trace"
(i.e., Received:...) and things added by list exploders.
[bcr] Right, and I think this also includes header security
policies (not necessarily cryptography, but generic
rewriting) applied by the organization such as rewritten
address lines for host name hiding or adding disclosed
recipients. I think this is where we start running into a
problem, and where we're in danger of failing.
I don't see this as so big a problem with (c). All you need to do to
make sure that you don't override the outer fields is to ensure that
recipients aren't originating those fields in the inner wrapper. I
could think of a number of ways to implement that. In fact, it sounds
like an excellent market discriminator. :-)
d) Include the signal in a CMS attribute - In a signed-only
or signed-and-encrypted message, the attribute should
probably be in the inner signedAttrs. For encrypted-only
messages, it would have to go in the unprotectedAttrs,
but this is not optimal since it shares the disadvantages
of (a). If this is the way forward, we have to have the
subsequent discussion of whether to use an existing or
Obviously, my belief is that (d) is the only one that
works. However, I'm not happy with how it works in the
encrypted-only case. I'm also somewhat sensitive to
"attribute bloat". I therefore earnestly hope somebody
else sees something that I've missed.
[bcr] I think that the biggest problem I'm having is that
we're trying to mix authenticated / unauthenticated /
encrypted / unencrypted headers together and try to do the
right thing in an automated fashion. As much as as we might
like to define this, I think the only option might be to take
the coward's way out and explain that the presentation and
merging of the headers are the problem of the client, and
that it's not possible to automatically mix them. The
realization that I'm coming to is that there is no utility in
merging the headers, and we shouldn't even attempt it, and we
should document that the client needs to potentially make
decisions about how much to trust the internal headers vs.
the external headers, and it is their responsibility to
demonstrate the separation.
I take the point I think you're making that there might be numerous
GOOD ways of doing this depending on your assumptions, and that there
might therefore not be a BEST way. If a product is capable of showing
you both and indicating what is authenticated or encrypted and what
isn't, that might be best.
[bcr] My thinking right now is along the lines of the
following, and I could very well be missing some important
1. Use message/rfc822 with a full set of headers for the
inner protected content. This is backward compatible, and
it's entirely possible that existing clients might even
process this correctly.
2. Define placebo values for any outer message required
I didn't figure we needed to do this, but it's more important in the
scenario you suggest. For "Date:" I would suggest 1/1/1970 (zero in
UNIX, I think). I guess I don't have a value to suggest for "From:".
The difficulty is that you need to have a minimally conformant address.
Anybody out there have a suggestion?
--------------------- From: John Doe?
3. Explain the client considerations for presentation.
I still think that we can do better than saying nothing here. Perhaps
we can describe a default rule similar to the option (c) I described,
hanging under a SHOULD. That way, if there was a good reason to do
something different it's okay.