[Top] [All Lists]

Re: Protection of header elements in an S/MIME message

2005-02-01 05:01:32

Jim Schaad wrote:
I would recommend looking at RFC 3261 section 23.4.1 for a description of
how SIP handled the comparison problem between the outer and inner headers.

This is by far the biggest area we wussed out on from my perspective. I think it was an intractable rathole, however, so I will defend my wussiness.

The MASS group would not be open to saying that the correct answer is to
have an embedded message that is promoted when found.  I don't know if this
has been implemented by any S/MIME implemenation I would be surprised if it
was widely adopted.

I'm not going to speculate on the adoption, but I would be curious what options are being considered, especially for the purpose of privacy protecting headers (not just digital signatures).

If it's the "list all the headers that are covered by the signature" approach which I think is used by both DomainKeys and IIM, we'd need to supplement that with a solution to handle privacy protected headers, in order for it to be suitable for S/MIME and/or OpenPGP.

I think there is some peril here, Jim -- in one sentence you warn us that MASS won't use an embedded header approach, right after you explain that SIP (and S/MIME) use that exact approach.

The good news is that means I'm completely offending only one of the four people we're supposed to help with the initial direction that I would suggest (using the current S/MIME strategy with better defined rules about header merging).

So should we take this on? Where do people stand on this? I've had enough time to recharge from the last beat-down I took from this issue that I'd probably suit up and take some hits.

Blake Ramsdell | Sendmail, Inc. |