Re: MIME media type literal packet in OpenPGP
Jon Callas <jon@callas.org> Mon, 14 March 2011 18:13 UTC
Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2EIDkfp088442 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Mar 2011 11:13:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p2EIDkLY088441; Mon, 14 Mar 2011 11:13:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (thing2.merrymeet.com [173.164.244.100] (may be forged)) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2EIDjJn088436 for <ietf-openpgp@imc.org>; Mon, 14 Mar 2011 11:13:45 -0700 (MST) (envelope-from jon@callas.org)
Received: from localhost (localhost [127.0.0.1]) by merrymeet.com (Postfix) with ESMTP id BB76E2E0FF for <ietf-openpgp@imc.org>; Mon, 14 Mar 2011 11:16:18 -0700 (PDT)
Received: from merrymeet.com ([127.0.0.1]) by localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 03764-05 for <ietf-openpgp@imc.org>; Mon, 14 Mar 2011 11:16:16 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTPA id 7D8552E0BD for <ietf-openpgp@imc.org>; Mon, 14 Mar 2011 11:16:16 -0700 (PDT)
Received: from [17.193.15.61] ([17.193.15.61]) by keys.merrymeet.com (PGP Universal service); Mon, 14 Mar 2011 11:13:42 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 14 Mar 2011 11:13:42 -0700
Mime-Version: 1.0 (Apple Message framework v1082)
Subject: Re: MIME media type literal packet in OpenPGP
From: Jon Callas <jon@callas.org>
In-Reply-To: <4D7A931A.6020503@epointsystem.org>
Date: Mon, 14 Mar 2011 11:13:41 -0700
Message-Id: <0D9FE46E-408B-40EB-BAF2-3078D363FD69@callas.org>
References: <BA0FB11E-591A-4E56-B73A-C68B235855C3@pgpeng.com> <4D7A931A.6020503@epointsystem.org>
To: IETF OpenPGP Working Group <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.1082)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hoffman.proper.com id p2EIDjJn088437
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I have two complaints about this proposal: > > 1. There is an already widely used way of encapsulating MIME content > into PGP messages, PGP/MIME (a.k.a. RFC 3156), and this proposal is not > compatible with it. > > 2. In this proposal, mime type would not be part of the hashed content > for digital signatures, meaning that it can be changed without breaking > the digital signature. This is dangerous. PGP/MIME does not have this > weakness. Comments on your comments, Daniel. I think the word MIME is a misnomer, because it has nothing to do content. It has to do with data typing only. It's a way to say that a PGP blob in (e.g. a web page) is of a certain type. Without it, you have to infer type from the file name, which is suboptimal. All that it does is let you say that a PGP output has a certain media type explicitly. If you're doing a MIME mail message, then yes, that's a much better way to express things. But if you're doing secured web content, especially dynamic content (think Web 2.0 etc.), then it's much better to put the exact media type in the blob, so it can be handled properly when the higher levels get it. You're absolutely right that it's unsigned. That's unfortunate. It is also what we have to work with. It is, at least, covered by an MDC packet, which is better than nothing and likely good enough. On the other side of it, you don't have to get into trust issues, either, which is a plus. This grew out of some fantastic work that Vinnie did for secure Web 2.0 content using OpenPGP as the encryption framework. It let you do things like Facebook messages and lists that Facebook couldn't read itself. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 2.10.0 (Build 554) Charset: us-ascii wj8DBQFNflrWsTedWZOD3gYRAlm8AJwPYnQz46Uzg2k/q2Niy1npO0szeACg2yuu g2+6IsNLh29RgU5kKXcska0= =QJnd -----END PGP SIGNATURE-----
- Re: MIME media type literal packet in OpenPGP Jon Callas
- Re: MIME media type literal packet in OpenPGP Aaron Toponce
- Re: MIME media type literal packet in OpenPGP Daniel A. Nagy
- Re: MIME media type literal packet in OpenPGP David Shaw
- MIME media type literal packet in OpenPGP Vinnie Moscaritolo