IETF Logo Mail Archive

Re: MessageID wording paranoia

Bill Stewart <bill.stewart@pobox.com> Sat, 28 March 1998 03:05 UTC

Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.7.3) id TAA25549 for ietf-open-pgp-bks; Fri, 27 Mar 1998 19:05:09 -0800 (PST)
Received: from dfw-ix15.ix.netcom.com (dfw-ix15.ix.netcom.com [206.214.98.15]) by mail.proper.com (8.8.8/8.7.3) with ESMTP id TAA25545 for <ietf-open-pgp@imc.org>; Fri, 27 Mar 1998 19:05:08 -0800 (PST)
Received: (from smap@localhost) by dfw-ix15.ix.netcom.com (8.8.4/8.8.4) id VAA26658 for <ietf-open-pgp@imc.org>; Fri, 27 Mar 1998 21:04:52 -0600 (CST)
Received: from pax-ca27-02.ix.netcom.com(207.93.145.34) by dfw-ix15.ix.netcom.com via smap (V1.3) id rma026633; Fri Mar 27 21:04:44 1998
Message-Id: <3.0.5.32.19980327190407.00893c70@popd.ix.netcom.com>
X-Sender: stewarts@popd.ix.netcom.com
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Fri, 27 Mar 1998 19:04:07 -0800
To: ietf-open-pgp@imc.org
From: Bill Stewart <bill.stewart@pobox.com>
Subject: Re: MessageID wording paranoia
In-Reply-To: <3.0.3.32.19980326112712.00b75a90@mail.pgp.com>
References: <19980326072652.C12494@sobolev.rhein.de> <199803260326.TAA11589@ignem.omnigroup.com> <199803260117.UAA29524@users.invweb.net> <199803260326.TAA11589@ignem.omnigroup.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-open-pgp@imc.org
Precedence: bulk

At 11:27 AM 3/26/98 -0800, Jon Callas wrote:
>In this particular case, I think there's merit in *suggesting* but not
>mandating that the message id be a function of the message. 
>There's nothing wrong in suggesting that a hash be used, 
>but there are plenty of other suitable ways to do it, including 
>just taking a slice of funtional slice cyphertext, which is mathematically 
>"random" and cannot leak any information. Cyphertext is always sent 
>in the clear, as it were.
>
>I also think there's merit in not mandating how it's done, as long as it's
>deterministic. However, I'm willing to listen to anyone who wants to argue
>that that MUST on determinism be a SHOULD.

There are at least three problems with Message-ID
- Is the implementation secretly leaking data through it?
- Is the implementation leaking data due to bugs or bad design?
- Does the message-ID increase traceability of the message?

The latter's been argued enough times, and we'll assume for the
moment the non-existence of bugs :-)  
The problem with making it only a SHOULD is that the recipient,
and possibly the sender, can't verify whether it's leaking data or not.
If you make documentation of the algorithm a MUST, and the algorithm is
deterministic, then the sender can verify it, but the recipient doesn't
have access to the sender's documentation anyway.  If you make
one or one-of-small-n algorithms mandatory, both the sender and
recipient can check.  I lean towards "SHA1 or MD5 of the cyphertext",
ignoring any armor that might be present or whitespace-munged.

I suppose the same problem exists with initialization vectors and 
session keys, and you can argue that 
- if you _are_ paranoid, you shouldn't be using software without
	reading the source code yourself first
- the sender could also be sending copies of the message to kgbvax
	without sneaking it out through the IV or Message-ID.
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639

v2.43.4 | Report a Bug | By Email | System Status