On Wed, 17 Dec 2003, Paul Hoffman / IMC wrote:
At 12:47 PM -0500 12/17/03, John Stracke wrote:
>Paul Hoffman / IMC wrote:
>
>>At 9:55 AM -0500 12/17/03, John Stracke wrote:
>>
>>>Modifying the Subject: line is a Bad Thing; it invalidates digital
>>>signatures.
>>
>>Which digital signatures are you talking about? Neither S/MIME nor
>>OpenPGP sign the headers in messages, only the bodies.
>
>S/MIME can sign the Subject: header (see RFC-1848, section 6.3)
RFC 1848 is for MOSS, not S/MIME or OpenPGP. MOSS had no significant
implementation.
Two things. First, MOSS had *a* significant implementation that was
complete and freely available. I know because it was my group that
wrote it in a previous life. It just never had any significant usage or
deployement, but that's a different issue.
Second, John is correct in theory although not in practice. Section 6.3
of RFC1848 describes how security multiparts (RFC1847) can be used by
MOSS in particular but in practice by any secure email protocol to
protect selected headers of a message. This is done by signing a
message/rfc822 body part, not just the text/plain (or whatever) content
body part.
S/MIME and OpenPGP can both use security multiparts.
Jim