S/MIME "security hole" fix


Concerning the the "gaping security hole" of using S/MIME's
multipart/alternative approach with a remote message validation
server:

Since the remote validation server is S/MIME-aware (it is checking the
signature), then it can also check if the message it is verifying is
multipart/alternative.  If it is, then it can simply confirm that the
data in the "clear" part is the same as the data inside the PKCS
part.

This would be a good thing to suggest in the S/MIME spec, thus closing
the "security hole."

- Jeff

<Prev in Thread]	Current Thread	[Next in Thread>
S/MIME "security hole" fix, Jeff Thompson <= Re: S/MIME "security hole" fix, Donald E. Eastlake 3rd Re: S/MIME "security hole" fix, Mark S Feldman Re: S/MIME "security hole" fix, Ned Freed Re: S/MIME "security hole" fix, Ned Freed Re: S/MIME "security hole" fix, Jeff Thompson Re: S/MIME "security hole" fix, Ned Freed Remote validation servers, Jeff Thompson Re: Remote validation servers, Ned Freed Re: Remote validation servers, Mark S Feldman Re: S/MIME "security hole" fix, Mark S Feldman

Previous by Date:	Re: S/MIME, Dave Crocker
Next by Date:	Re: ASN.1 (was: Re: Kerberos v5's ex, Bill Sommerfeld
Previous by Thread:	ASN.1 (was: Re: Kerberos v5's ex, Richard . Ankney
Next by Thread:	Re: S/MIME "security hole" fix, Donald E. Eastlake 3rd
Indexes:	[Date] [Thread] [Top] [All Lists]