IETF Logo Mail Archive

[openpgp] Proposal for update to RFC3156 (PGP/MIME)

Andrew Gallagher <andrewg@andrewg.com> Thu, 28 November 2024 18:00 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23827C1840C0 for <openpgp@ietfa.amsl.com>; Thu, 28 Nov 2024 10:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvYXrI1VSRdq for <openpgp@ietfa.amsl.com>; Thu, 28 Nov 2024 10:00:24 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE756C14EB19 for <openpgp@ietf.org>; Thu, 28 Nov 2024 10:00:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1732816819; bh=hPNSxQC3FkvvIfYM7NGCYz/Zn617/xj/myRfeehfTSE=; h=From:Subject:Date:Cc:To:From; b=WXI9POIbO5RHTAlT2LD1jF3TCu52kO6IV8LD1n5EwnUpJ4MMPcmaBPo5LbQfc27h3 XpsRghV6nGOdmsgqxVyKG9/Iqilw5V9RfrYYu9cyBB7eY5QQZDkCFIBENmZrhOLe7v CoQxy/X76OwD4FNFMf2wq8CJI/HWx1G1eWq+zmHfG2kGf2ujm5ObzhhQnfq5mJuqil Bw/DP0q7h/yc8SDcFIkhNe4El4jVCJb04D3xfSVYCTCALAskoZa4Z91LPvItUN8x5B NzLzGGhSob9Kgc5EK4xn62oFOG97yMimMZ+bxSfex5pYvMnZK0eYrEY7gzK6v8DseZ GVqM7BFJGgNHw==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 1ED0A5ED32; Thu, 28 Nov 2024 18:00:19 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_580D1F99-7A87-4D62-B63B-E57C97757761"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.9\))
Message-Id: <33BAA6B0-64ED-4877-8B94-AEDBC94C1FC1@andrewg.com>
Date: Thu, 28 Nov 2024 17:59:57 +0000
To: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailer: Apple Mail (2.3731.700.6.1.9)
Message-ID-Hash: POJLECYMBXO2KENRKYFXF6XDYRT2WYNR
X-Message-ID-Hash: POJLECYMBXO2KENRKYFXF6XDYRT2WYNR
X-MailFrom: andrewg@andrewg.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Proposal for update to RFC3156 (PGP/MIME)
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/5hVovn5qoGI-lxlxTwG9Q5_VCLw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi, all.

We have previously discussed the possibility of updating RFC3156 to support v6 signatures. One particular concern is how to add the salt to the MIME header, but there is also the (long-standing) question of how to make PGP/MIME messages render more elegantly in naive clients (i.e. without displaying an unknown attachment).

It occurred to me that since the `micalg` parameter in the `Content-type: multipart/signed` specification is fully protocol-specific, we can choose to put anything we want in there. And the easiest way to make it version-agnostic is to replace the digest algorithm name with an armored OpenPGP packet.

If we used an OPS packet, it would look like (using the v6 test vector from RFC9580):

```
Subject: OPS test vector
Content-Type: multipart/signed;
 boundary="12345678”;
 protocol="application/pgp-signature”;
 micalg="pgp-ops:
  xEYGAQobIHZJX1AhiJD39eLuPBgiUU9wUA9VHYblySHkBONKU/usyxhsTwYJppfk
  1S36bHIrDB8eJ8GKVnCPZSXsJ7rZrMkB"

--12345678
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
    charset=utf-8

...
```

Alternatively, we could place the *signature* packet in the headers:

```
Subject: Prefix test vector
Content-Type: multipart/signed;
 boundary="12345678”;
 protocol="application/pgp-signature”;
 micalg="pgp-sig:
  wpgGARsKAAAAKQWCY5ijYyIhBssYbE8GCaaX5NUt+mxyKwwfHifBilZwj2Ul7Ce6
  2azJAAAAAGk2IHZJX1AhiJD39eLuPBgiUU9wUA9VHYblySHkBONKU/usJ9BvuAqo
  /FvLFuGWMbKAdA+epq7V4HOtAPlBWmU8QOd6aud+aSunHQaaEJ+iTFjP2OMW0KBr
  NK2ay45cX1IVAQ=="

--12345678
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8

…
```

The trailing signature MIME part is then redundant, however the multipart/signed spec requires one. So by analogy with multipart/encrypted we could add a fake “inline signature” MIME part, that PGP-aware MUAs could handle gracefully:

```
--12345678
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

This is an OpenPGP signed message. You need an OpenPGP-aware client to verify the signature.

--12345678--
```

Daniel Huigens and I have tested by roundtripping both these constructions through postfix, Gmail and Protonmail -- they survived intact, and also displayed prettily. I haven’t tested whether a PQC-sized prefix signature header would survive such a roundtrip today, however support for such large headers would surely have to be implemented for ARC and DKIM signatures at some point. The OPS construction has the advantage that it will definitely work with PQC now, and the prefix construction has the advantage that it is pretty. Both have the advantage that the micalg parameter and the two MIME parts could be concatenated and streamed directly into the OpenPGP library with minimal pre-processing by the MUA.

Thoughts?

A

v2.35.0 | Report a Bug | By Email | System Status