From pem-dev-request(_at_)magellan(_dot_)TIS(_dot_)COM Tue Dec 28 13:02:37 1993
Subject: Nested PEM Messages
Date: Tue, 28 Dec 93 15:36:45 -0500
From: kaufman(_at_)zk3(_dot_)dec(_dot_)com
I have a question for anyone who has built or is building a PEM
implementation.
PEM very carefully puts out brackets on PEM messages and nests
MIC-CLEAR messages so that it is possible to include PEM messages
inside other PEM messages and have the whole thing parsed
unambiguously. There remains, however, a user interface challenge
in displaying such a nested PEM message in a way that visually
shows the user what signatures have been verified on what parts of
the message. Particularly challenging is doing this in a way that
prevents someone from cobbling together a message that the PEM
processor will ignore but will look to the user like it has been
PEM processed and verified.
My question is: has anyone yet taken on this problem? What do the
existing implementations out there do with nested PEM messages?
I can tell you what I do. In order to verify PEM signatures,
users press the "Verify" button. Upon passing PEM signature
verification procedures, the signed portion of the message is
shown in a message window, the outermost PEM headers having
been stripped off. A valid signature icon, along with the
orginator's DN is displayed in a control area, associated with
that message window.
In order to verify nested PEM msgs, the user simply keeps pressing
the Verify button. The outermost PEM headers are stripped off at each
stage, showing in the message window the relevant PEM message body.
The control area shows the signature status/originator DN for that
(nested) message. Users can backtrack out of this unwrapping process
by doing "Undo"s.
PEM processing never "ignores" a message. A message has either a
valid signature, or else signature verification has failed. This
may be due to an invalid signature, or because the message was
a non-PEM message. In case of signature verification failure
(due to either an invalid signature, or non-PEM message) the
user is alerted through a pop-up notifier. Dismissing the alert
notice requires action on the part of the user.
Immediately after signature verification, the message window
goes into read-only mode. The user can change the msg window mode to
read-write. If he/she does so, and then changes the message contents,
the valid signature icon disappears.
At no time is the user presented with a valid signature icon/DN
in the control area, where the text in the message window does
not correspond to a message that has passed PEM signature verification
procedures for that originator (identified by the DN).
Ashar.
[PS. Now that I writing to pem-dev, is anyone interested in
interoperability testing with my PEM implementation? If so,
please drop me a note. Thanks.]