Re: OpenPGP/MIME changes

[Thomas Roessler <roessler@does-not-exist.org>]

On 2006-07-19 18:02:16 -0500, Brian G. Peterson wrote:

> On Wednesday 19 July 2006 16:08, Thomas Roessler wrote:

>> So, the current OpenPGP/MIME spec is already relatively
>> strict and actually takes away some of the degrees of
>> freedom that the original PGP/MIME left open.  Would you
>> care to elaborate a bit more about what points you'd like
>> to clean up?

> Look back a ways in the archives to the various tabled
> discussions on OpenPGP/MIME and the other variants
> (inline/partitioned) for email.  I remember significant
> issues being discussed around offline signature 
> verification on binary attachments, signatures on signatures
> (chain of evidence), and interoperability issues on the
> layout of MIME parts.

So, summarizing from a round of reading through the archives:

- A requirement was given that certain attachments would have
  to be verified individually.  This can be achieved by
  packaging an individual attachment into a multipart/signed
  and having a signature for just that attachment.  Of course,
  there's nothing that would keep the sender from wrapping the
  entire message into another level of multipart/signed.

  (Incidentally, I don't understand the use case that motivates
  this requirement.  I'd like to hear more about it.)

  I'm not aware of any OpenPGP/MIME implementation that would
  do this on the sending end, but this is not a shortcoming of
  the format.

  Please also note that the "individual" signatures aren't
  necessarily the better ones in all contexts: For instance, I
  rather wouldn't have separate signatures on the parts that
  together make up a multipart/alternative or
  multipart/related.

- I haven't seen any recent interoperability issues on the
  layout of MIME parts, unless this is supposed to allude to
  Outlook's general inability to deal with just about anything
  MIME. This does not strike me as something that OpenPGP/MIME
  should be kludging around.

- Signatures on signatures are easily done, by wrapping one
  multipart/signed into another one.  In the bad old PGP
  tradition of not attributing semantics to anything, this
  should be all that's needed.

- I've skimmed through the documentation of what's now called
  "partitioned" mode; frankly, using well-known attachment file
  names to signal the relationship between the different body
  parts that form a multipart makes me cringe, as does having
  fixed file names for the signature of "the RTF attachment".
  This is wrong on an unhealthy number of levels.
  
  Also, please note that the partitioned format seems not to
  sign the content-type of the signed material, thereby
  subjecting it to attacks based on having material that admits
  multiple interpretations.  (Think postscript source code vs.
  rendered postscript -- I'd send the former as text/plain, and
  the latter as application/postscript.)

Right now, I don't see any particular motivation for changing
the existing OpenPGP/MIME RFC.  I do see use cases for possibly
using the existing spec in a different way in some cases.



One thing that I'm wondering about for the packet-based PGP
format (though it's probably too late for this) is whether
signatures should include an indication of the intended media
type of the signed material.

One could do this by either extending the literal packet, or by
specifying a content-type notation packet.

Considering the interoperability impact of the two approaches,
the notation packet is probably the right way to go.

Regards,
-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.