Re: MIME media type literal packet in OpenPGP

Jon Callas <> Mon, 14 March 2011 18:13 UTC

Received: from (localhost []) by (8.14.4/8.14.3) with ESMTP id p2EIDkfp088442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Mar 2011 11:13:46 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.14.4/8.13.5/Submit) id p2EIDkLY088441; Mon, 14 Mar 2011 11:13:46 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( [] (may be forged)) by (8.14.4/8.14.3) with ESMTP id p2EIDjJn088436 for <>; Mon, 14 Mar 2011 11:13:45 -0700 (MST) (envelope-from
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB76E2E0FF for <>; Mon, 14 Mar 2011 11:16:18 -0700 (PDT)
Received: from ([]) by localhost (host.domain.tld []) (amavisd-maia, port 10024) with ESMTP id 03764-05 for <>; Mon, 14 Mar 2011 11:16:16 -0700 (PDT)
Received: from ( []) (Authenticated sender: jon) by (Postfix) with ESMTPA id 7D8552E0BD for <>; Mon, 14 Mar 2011 11:16:16 -0700 (PDT)
Received: from [] ([]) by (PGP Universal service); Mon, 14 Mar 2011 11:13:42 -0700
X-PGP-Universal: processed; by on Mon, 14 Mar 2011 11:13:42 -0700
Mime-Version: 1.0 (Apple Message framework v1082)
Subject: Re: MIME media type literal packet in OpenPGP
From: Jon Callas <>
In-Reply-To: <>
Date: Mon, 14 Mar 2011 11:13:41 -0700
Message-Id: <>
References: <> <>
To: IETF OpenPGP Working Group <>
X-Mailer: Apple Mail (2.1082)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by id p2EIDjJn088437
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>

Hash: SHA1

> I have two complaints about this proposal:
> 1. There is an already widely used way of encapsulating MIME content
> into PGP messages, PGP/MIME (a.k.a. RFC 3156), and this proposal is not
> compatible with it.
> 2. In this proposal, mime type would not be part of the hashed content
> for digital signatures, meaning that it can be changed without breaking
> the digital signature. This is dangerous. PGP/MIME does not have this
> weakness.

Comments on your comments, Daniel.

I think the word MIME is a misnomer, because it has nothing to do content. It has to do with data typing only. It's a way to say that a PGP blob in (e.g. a web page) is of a certain type. Without it, you have to infer type from the file name, which is suboptimal. All that it does is let you say that a PGP output has a certain media type explicitly.

If you're doing a MIME mail message, then yes, that's a much better way to express things. But if you're doing secured web content, especially dynamic content (think Web 2.0 etc.), then it's much better to put the exact media type in the blob, so it can be handled properly when the higher levels get it.

You're absolutely right that it's unsigned. That's unfortunate. It is also what we have to work with. It is, at least, covered by an MDC packet, which is better than nothing and likely good enough. On the other side of it, you don't have to get into trust issues, either, which is a plus. 

This grew out of some fantastic work that Vinnie did for secure Web 2.0 content using OpenPGP as the encryption framework. It let you do things like Facebook messages and lists that Facebook couldn't read itself.


Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii