Jim Schaad <jimsch(_at_)exmsft(_dot_)com> wrote:
I think that we may need to revisit the issue of how S/MIME
protects headers.
In doing some consulting for other groups in the IETF I have
found that there are now four different groups that need a
better solution to this
problem:
S/MIME - uses an encapsulated message (message/rfc822)
SIP - uses an encapsulated message (message/sip)
PGP - uses an encapsulated message (message/rfc822) [I may be
putting words into the PGP working groups collective mouths]
MASS - a new proposed working group looking at providing
authorization information on e-mail messages - no current
solution.
All of these groups would benefit if we define a standard way
to allow for inclusion of RFC822 headers in a message body
along with rules for comparision between the acutal header
and the embedded header.
I would recommend looking at RFC 3261 section 23.4.1 for a
description of how SIP handled the comparison problem between
the outer and inner headers.
The MASS group would not be open to saying that the correct
answer is to have an embedded message that is promoted when
found. I don't know if this has been implemented by any
S/MIME implemenation I would be surprised if it was widely
adopted.
Actually, it strikes me that S/MIME, SIP and PGP have all adopted
the same solution: encapsulate what you want protected. They've
just have taken slightly different approaches to how you deal
with what's there. I'm curious as to why MASS would not be open
to this type of approach.
It has always seemed to be that it would be easy to have a
general attribute that could contain any RFC 822 header. Of
course, you STILL have to specify how and to what extent matching
is done... which would probably have to be application specific.
So we're right back to where we are today.
Chris