ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Fwd: RE: Last Call: 'S/MIME Version 3.1 Message Specification' to Proposed Standard

2004-04-22 07:26:35
from [Russ Housley] [Permanent Link]
Does the S/MIME WG have a response to this comment? I suspect so. Please coordinate a response and send it to iesg(_at_)ietf(_dot_)org before Last Call expires. 

Russ



From: "Peter Hesse" <pmhesse(_at_)geminisecurity(_dot_)com>
To: <iesg(_at_)ietf(_dot_)org>, <ietf(_at_)ietf(_dot_)org>
Cc: "'Blake Ramsdell'" <blake(_at_)brutesquadlabs(_dot_)com>
Subject: RE: Last Call: 'S/MIME Version 3.1 Message Specification' to Proposed Standard 
Date: Wed, 21 Apr 2004 09:34:50 -0400

I am sorry for not catching this hadn't been handled earlier, but I would
like to reiterate a request I made in November 2003 for this document.  The
archived message can be found here:
http://www.imc.org/ietf-smime/mail-archive/msg01800.html or, you can just
read below

--------
I have recently run into a problem with signed emails not being able to be
verified, because of the presence of the word "From" in the first columns of
a line of the email message.  This email will serve as an example of this
potential problem.  If your email client sees this message as signed but the
signature is invalid, the next paragraph should start with the word
"From"--see if it has been modified.

>From appearing as the first characters after a blank line will result in
some email delivery agents (such as sendmail or exim) escaping the
word--"From" is replaced with ">From".   The reason for this behavior has to
do with the UNIX mbox mail storage file format.  The mbox format stores
multiple messages in one file, and the messages are separated by the word
"From" as the first characters following a blank line.  Some mail delivery
agents do not have this problem (i.e. Exchange), because they do not store
messages in the mbox format.  Many do, however, resulting in a modification
of the message and the signature being invalidated.

I would like to request that this issue be more directly dealt with in
son-of-RFC2633.  (Currently, it is mentioned in the example MIME-encoded
message, but nowhere in the text.)  One recommendation might be to borrow
from RFC2015 (MIME Security with PGP), which states:
   Though not required, it is generally a good idea to use Quoted-
   Printable encoding in the first step (writing out the data to be
   signed in MIME canonical format) if any of the lines in the data
   begin with "From ", and encode the "F".  This will avoid an MTA
   inserting a ">" in front of the line, thus invalidating the
   signature!

Perhaps this might even be a SHOULD, although I will ask the group to weigh
in on that.
--------

Thanks,

--Peter Hesse
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  I-D ACTION:draft-ietf-smime-cms-seed-01.txt, Internet-Drafts
Next by Date:  RE: RE: Last Call: 'S/MIME Version 3.1 Message Specification' to Proposed Standard, Blake Ramsdell
Previous by Thread:  I-D ACTION:draft-ietf-smime-cms-seed-01.txt, Internet-Drafts
Next by Thread:  RE: RE: Last Call: 'S/MIME Version 3.1 Message Specification' to Proposed Standard, Blake Ramsdell
Indexes:  [Date] [Thread] [Top] [All Lists]