Re: Split Implementations of PGP
Jon Callas <jon@callas.org> Fri, 18 March 2005 01:55 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA14487 for <openpgp-archive@lists.ietf.org>; Thu, 17 Mar 2005 20:55:31 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2I1cDsi002977; Thu, 17 Mar 2005 17:38:13 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2I1cDSl002976; Thu, 17 Mar 2005 17:38:13 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2I1cBFR002969 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 17:38:11 -0800 (PST) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Thu, 17 Mar 2005 17:38:08 -0800
Received: from [192.168.2.164] ([63.251.255.85]) by keys.merrymeet.com (PGP Universal service); Thu, 17 Mar 2005 17:38:08 -0800
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 17 Mar 2005 17:38:08 -0800
In-Reply-To: <42396D28.7090703@algroup.co.uk>
References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> <423780A0.40903@algroup.co.uk> <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> <42396D28.7090703@algroup.co.uk>
Mime-Version: 1.0 (Apple Message framework v619.2)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <d14c4009a671449c35ad2fcbbf090d6d@callas.org>
Content-Transfer-Encoding: 7bit
Cc: Ingo Luetkebohle <ingo@fargonauten.de>, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com>
From: Jon Callas <jon@callas.org>
Subject: Re: Split Implementations of PGP
Date: Thu, 17 Mar 2005 17:39:08 -0800
To: Ben Laurie <ben@algroup.co.uk>, OpenPGP <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.619.2)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
On 17 Mar 2005, at 3:42 AM, Ben Laurie wrote: >> It's a small thing, but if message A has one attachment, >> "Attachment.pgp", and message B has two attachments, "Text.pgp" and >> "ZeSecretPlans.doc.pgp" -- which each decompose to the same mail >> message -- one could argue that message A is more secure than message >> B because it leaks less information about its internal structure. > > Are attachment names really not encrypted? If they are (as they should > be) then the only threat is that an attacker knows the number and > (compressed) size of the attachments. I find it hard to get excited > about that. > No, they're not encrypted. This is part of MIME. The MIME part has a file name, and that file name is in the clear. The PGP products do what I described in my previous note; we name them AttachmentN.pgp, and inside the literal packet is the actual name of the resultant file. A number of systems do not encrypt the file names, even when they are using OpenPGP/MIME. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2I1cDsi002977; Thu, 17 Mar 2005 17:38:13 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2I1cDSl002976; Thu, 17 Mar 2005 17:38:13 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2I1cBFR002969 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 17:38:11 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Thu, 17 Mar 2005 17:38:08 -0800 Received: from [192.168.2.164] ([63.251.255.85]) by keys.merrymeet.com (PGP Universal service); Thu, 17 Mar 2005 17:38:08 -0800 X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 17 Mar 2005 17:38:08 -0800 In-Reply-To: <42396D28.7090703@algroup.co.uk> References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> <423780A0.40903@algroup.co.uk> <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> <42396D28.7090703@algroup.co.uk> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <d14c4009a671449c35ad2fcbbf090d6d@callas.org> Content-Transfer-Encoding: 7bit Cc: Ingo Luetkebohle <ingo@fargonauten.de>, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> From: Jon Callas <jon@callas.org> Subject: Re: Split Implementations of PGP Date: Thu, 17 Mar 2005 17:39:08 -0800 To: Ben Laurie <ben@algroup.co.uk>, OpenPGP <ietf-openpgp@imc.org> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 17 Mar 2005, at 3:42 AM, Ben Laurie wrote: >> It's a small thing, but if message A has one attachment, >> "Attachment.pgp", and message B has two attachments, "Text.pgp" and >> "ZeSecretPlans.doc.pgp" -- which each decompose to the same mail >> message -- one could argue that message A is more secure than message >> B because it leaks less information about its internal structure. > > Are attachment names really not encrypted? If they are (as they should > be) then the only threat is that an attacker knows the number and > (compressed) size of the attachments. I find it hard to get excited > about that. > No, they're not encrypted. This is part of MIME. The MIME part has a file name, and that file name is in the clear. The PGP products do what I described in my previous note; we name them AttachmentN.pgp, and inside the literal packet is the actual name of the resultant file. A number of systems do not encrypt the file names, even when they are using OpenPGP/MIME. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2HCtWvK023123; Thu, 17 Mar 2005 04:55:32 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2HCtWdQ023122; Thu, 17 Mar 2005 04:55:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2HCtU4l023096 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 04:55:30 -0800 (PST) (envelope-from iang@systemics.com) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j2HDsMa07439; Thu, 17 Mar 2005 13:54:38 GMT X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <42397EFF.40408@systemics.com> Date: Thu, 17 Mar 2005 12:58:39 +0000 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0 (X11/20050219) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Callas <jon@callas.org> CC: Ben Laurie <ben@algroup.co.uk>, ietf-openpgp@imc.org, Ingo Luetkebohle <ingo@fargonauten.de>, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> Subject: Re: Split Implementations of PGP References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> <423780A0.40903@algroup.co.uk> <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> In-Reply-To: <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > > On 15 Mar 2005, at 4:41 PM, Ben Laurie wrote: > >> Jon Callas wrote: >> >>> On 12 Mar 2005, at 3:24 AM, Ingo Luetkebohle wrote: >>> >>>> Even better would be to have individually encrypted parts. This is >>>> possible with PGP/MIME but not current practice. Trouble being, of >>>> course, that the sender would have to know this is in advance. >>>> >>> Better for whom? >>> One of the reasons that practice is to not have individually >>> encrypted parts is that that has not been considered as good, meaning >>> not as secure. It isn't as convenient for an entity who doesn't have >>> the keys to process such a message, and that's been considered a >>> feature rather than a bug. >> >> >> I'm struggling to understand this - how does this make it any easier >> for an attacker? (Other than log_2(n), where n is the number of parts, >> for the brute force attack). >> > > > It's a small thing, but if message A has one attachment, > "Attachment.pgp", and message B has two attachments, "Text.pgp" and > "ZeSecretPlans.doc.pgp" -- which each decompose to the same mail message > -- one could argue that message A is more secure than message B because > it leaks less information about its internal structure. Right. But, given the mobile platform limitations, Message A is unusable therefore its security argument is null & void; the user has to make *some compromise* in order use the system, and that may well be "giving up a little security." I'm curious as to whether there is a hard proposal for the group behind this? iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2HChjB4018950; Thu, 17 Mar 2005 04:43:45 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2HChjx2018949; Thu, 17 Mar 2005 04:43:45 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from ethos.braverock.com (ethos.braverock.com [66.92.142.163] (may be forged)) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2HChirS018939 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 04:43:45 -0800 (PST) (envelope-from brian@braverock.com) Received: from [10.23.1.102] (dsl017-021-008.chi1.dsl.speakeasy.net [69.17.21.8]) (authenticated bits=0) by ethos.braverock.com (8.13.3/8.13.1) with ESMTP id j2HCiEfE030347 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 06:44:15 -0600 From: "Brian G. Peterson" <brian@braverock.com> To: ietf-openpgp@imc.org Subject: Re: Split Implementations of PGP Date: Thu, 17 Mar 2005 06:44:27 -0600 User-Agent: KMail/1.7.2 References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> <42396D28.7090703@algroup.co.uk> In-Reply-To: <42396D28.7090703@algroup.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200503170644.27870.brian@braverock.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thursday 17 March 2005 05:42 am, Ben Laurie wrote: > > Jon Callas wrote: > > It's a small thing, but if message A has one attachment, > > "Attachment.pgp", and message B has two attachments, "Text.pgp" and > > "ZeSecretPlans.doc.pgp" -- which each decompose to the same mail message > > -- one could argue that message A is more secure than message B because > > it leaks less information about its internal structure. > > Are attachment names really not encrypted? If they are (as they should > be) then the only threat is that an attacker knows the number and > (compressed) size of the attachments. I find it hard to get excited > about that. Implementations differ. I've seen some implementations that split out the mime parts that obfuscate the attachment names and others that just add .pgp or .asc to the attachment names. I think that one of the larger issues is that if the mime parts are separate, an attacker could remove a single attachment, effectively changing part of the meaning of what the original sender wanted to say by removing part of the message. Regards, - Brian Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2HBgXjb098635; Thu, 17 Mar 2005 03:42:33 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2HBgXUJ098634; Thu, 17 Mar 2005 03:42:33 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2HBgVLi098611 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 03:42:32 -0800 (PST) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 6672D33C33; Thu, 17 Mar 2005 11:42:30 +0000 (GMT) Message-ID: <42396D28.7090703@algroup.co.uk> Date: Thu, 17 Mar 2005 11:42:32 +0000 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org, Ingo Luetkebohle <ingo@fargonauten.de>, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> Subject: Re: Split Implementations of PGP References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> <423780A0.40903@algroup.co.uk> <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> In-Reply-To: <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > On 15 Mar 2005, at 4:41 PM, Ben Laurie wrote: > >> Jon Callas wrote: >> >>> On 12 Mar 2005, at 3:24 AM, Ingo Luetkebohle wrote: >>> >>>> Even better would be to have individually encrypted parts. This is >>>> possible with PGP/MIME but not current practice. Trouble being, of >>>> course, that the sender would have to know this is in advance. >>>> >>> Better for whom? >>> One of the reasons that practice is to not have individually >>> encrypted parts is that that has not been considered as good, meaning >>> not as secure. It isn't as convenient for an entity who doesn't have >>> the keys to process such a message, and that's been considered a >>> feature rather than a bug. >> >> >> I'm struggling to understand this - how does this make it any easier >> for an attacker? (Other than log_2(n), where n is the number of parts, >> for the brute force attack). >> > > > It's a small thing, but if message A has one attachment, > "Attachment.pgp", and message B has two attachments, "Text.pgp" and > "ZeSecretPlans.doc.pgp" -- which each decompose to the same mail message > -- one could argue that message A is more secure than message B because > it leaks less information about its internal structure. Are attachment names really not encrypted? If they are (as they should be) then the only threat is that an attacker knows the number and (compressed) size of the attachments. I find it hard to get excited about that. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2H9fbw8056733; Thu, 17 Mar 2005 01:41:37 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2H9fbh9056732; Thu, 17 Mar 2005 01:41:37 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2H9facU056722 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 01:41:36 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Thu, 17 Mar 2005 01:41:32 -0800 Received: from [63.73.97.189] ([63.73.97.189]) by keys.merrymeet.com (PGP Universal service); Thu, 17 Mar 2005 01:41:32 -0800 X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 17 Mar 2005 01:41:32 -0800 In-Reply-To: <20050316145559.2c259716@dejavu.usr.sek.int.muc.leogic.com> References: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> <EC2C527917F2F8527033F0BB@ninevah.cyrusoft.com> <2234e811fef83c145481fec93d8350c1@callas.org> <1110978861.12293.20.camel@chagall.TechFak.Uni-Bielefeld.DE> <20050316145559.2c259716@dejavu.usr.sek.int.muc.leogic.com> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <db531c74e9a48879b58f81587940cbfc@callas.org> Content-Transfer-Encoding: 7bit Cc: Ingo Luetkebohle <ingo@fargonauten.de>, OpenPGP <ietf-openpgp@imc.org> From: Jon Callas <jon@callas.org> Subject: Re: Split Implementations of PGP Date: Thu, 17 Mar 2005 01:42:34 -0800 To: Lars Eilebrecht <lars@evildoer.de> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > I assume Jon is talking about on-the-fly decryption of incoming > messages, i.e., when the decryption happens before the data hits > the MUA? A MUA usually includes the size of an 'object' in a > request and only expect that many bytes in the response. However, > the size after decryption is almost always different. > IMHO, this is not directly an issue with IMAP, but with the > actual implementation/interpretation of IMAP. > The message size handling is just one of the issues with IMAP ... > e.g., think about bodystructure requests and on-the-fly decryption. > That's precisely what I'm talking about. However, it is an issue with IMAP itself. IMAP has a core assumption that a message has a size that is constant and knowable even when all you're getting is the headers. An IMAP server must reply accurately and precisely the message size when it first informs the client about the message. If that message needs lots of transformations including decryption, this makes determining the precise message size an interesting problem. > But I have to admit that I'm not sure what this has to do with > the original topic of this thread? :-) > I'm giving a warning that simply passing session keys around may not give obvious solutions to the problem being solved. We've spent a lot of time with advanced IMAP features at PGP Corporation. Admittedly, in our case, we're building proxies and proxies don't have liberties that client-server systems do. If IMAP were less fussy about message size, then some of the difficult problems would have obvious solutions. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2H9WObL053642; Thu, 17 Mar 2005 01:32:24 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2H9WOMw053641; Thu, 17 Mar 2005 01:32:24 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2H9WNiP053627 for <ietf-openpgp@imc.org>; Thu, 17 Mar 2005 01:32:23 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Thu, 17 Mar 2005 01:32:19 -0800 Received: from [63.73.97.189] ([63.73.97.189]) by keys.merrymeet.com (PGP Universal service); Thu, 17 Mar 2005 01:32:19 -0800 X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 17 Mar 2005 01:32:19 -0800 In-Reply-To: <423780A0.40903@algroup.co.uk> References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> <423780A0.40903@algroup.co.uk> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <0c2e3b83c1072b50c84c1326c446dfd2@callas.org> Content-Transfer-Encoding: 7bit Cc: ietf-openpgp@imc.org, Ingo Luetkebohle <ingo@fargonauten.de>, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> From: Jon Callas <jon@callas.org> Subject: Re: Split Implementations of PGP Date: Thu, 17 Mar 2005 01:33:10 -0800 To: Ben Laurie <ben@algroup.co.uk> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 15 Mar 2005, at 4:41 PM, Ben Laurie wrote: > Jon Callas wrote: >> On 12 Mar 2005, at 3:24 AM, Ingo Luetkebohle wrote: >>> Even better would be to have individually encrypted parts. This is >>> possible with PGP/MIME but not current practice. Trouble being, of >>> course, that the sender would have to know this is in advance. >>> >> Better for whom? >> One of the reasons that practice is to not have individually >> encrypted parts is that that has not been considered as good, meaning >> not as secure. It isn't as convenient for an entity who doesn't have >> the keys to process such a message, and that's been considered a >> feature rather than a bug. > > I'm struggling to understand this - how does this make it any easier > for an attacker? (Other than log_2(n), where n is the number of parts, > for the brute force attack). > It's a small thing, but if message A has one attachment, "Attachment.pgp", and message B has two attachments, "Text.pgp" and "ZeSecretPlans.doc.pgp" -- which each decompose to the same mail message -- one could argue that message A is more secure than message B because it leaks less information about its internal structure. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GNgT9j026595; Wed, 16 Mar 2005 15:42:29 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2GNgTh3026594; Wed, 16 Mar 2005 15:42:29 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-relay1.uni-bielefeld.de (IDENT:72@smtp-relay1.uni-bielefeld.de [129.70.4.97]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GNgRBX026577 for <ietf-openpgp@imc.org>; Wed, 16 Mar 2005 15:42:28 -0800 (PST) (envelope-from ingo@fargonauten.de) Received: from pmxchannel-daemon.mail1.hrz.uni-bielefeld.de by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) id <0IDG0060GXUKIN@mail1.hrz.uni-bielefeld.de> for ietf-openpgp@imc.org; Thu, 17 Mar 2005 00:42:20 +0100 (MET) Received: from pc-hans.dhcp.lcl.studentenwerk-bielefeld.de (pc-hans.dhcp.lcl.studentenwerk-bielefeld.de [10.128.53.36]) by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTPS id <0IDG00G3TXUDFN@mail1.hrz.uni-bielefeld.de>; Thu, 17 Mar 2005 00:42:13 +0100 (MET) Date: Thu, 17 Mar 2005 00:42:20 +0100 From: Ingo Luetkebohle <ingo@fargonauten.de> Subject: RE: Split Implementations of PGP In-reply-to: <EDD694D47377D7119C8400D0B77FD3310124CD70@nhmail2.brooktrout.com> To: Eric Burger <eburger@brooktrout.com> Cc: OpenPGP <ietf-openpgp@imc.org> Message-id: <1111016540.5109.302.camel@localhost.localdomain> MIME-version: 1.0 X-Mailer: Evolution 2.0.2 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-O4oUR7Rf/6OxWJJ4kibX" X-Spam-Level: X-UniBi-Spam-Level: , 7% X-UniBi-Spam-Rules: __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_VERSION 0, __SANE_MSGID 0 X-UniBi-Deliver: Tag X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.0.3.0, Antispam-Data: 2005.3.16.16, vscan4.hrz.uni-bielefeld.de References: <EDD694D47377D7119C8400D0B77FD3310124CD70@nhmail2.brooktrout.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-O4oUR7Rf/6OxWJJ4kibX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Mittwoch, den 16.03.2005, 16:19 -0500 schrieb Eric Burger: > Note that I *chose* to trust the server FOR THIS MESSAGE ONLY. That is w= hy > we asked the question about split implementations. It would be VERY BAD = if > we had to trust the server with our private key. I like the selectivity and it appears that, given current PGP/MIME practice, your suggestion is the best one can do. I'd like to suggest something in addition to that: Allow for *replacement* of the session-key packet, instead of decryption. Here's how it would work: The client receives the encrypted session key from the server, decrypts it, *immediately recrypts* using the recipients public key and passes the encrypted session-key back to the server. The server then proceeds to *replace* the encrypted session key in the message (without ever decrypting it!) and forwards it to the intended recipient. Because the session key stays the same, the recipient can decrypt it. When used with separately encrypted attachments, it would enable forwarding something without ever downloading it, and without the server ever seeing the decrypted content. This wouldn't be terribly useful right now, because all clients encrypt the whole message and I would have trouble making a forwarding decision without looking at the content, but when a client ever implements a different PGP/MIME usage, the combination would be terrific, in my very humble opinion. There's one possible gotcha: I don't know about the security implications of encrypting the same plaintext (here, the session key) with two different public keys. I can't think of any problems right now, but wouldn't exclude the possibility of a leak to occur. I hope there's enough cryptographers here to shout in that event, though :) Ingo --=-O4oUR7Rf/6OxWJJ4kibX Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCOMRczZDBZDStzlsRAhl0AJ4qSKaMqHdUITazHywnE2i37P/tcACgoQ5i 0BrCSuRiotpGtNpovD9+F4A= =DfKl -----END PGP SIGNATURE----- --=-O4oUR7Rf/6OxWJJ4kibX-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GLQ989013545; Wed, 16 Mar 2005 13:26:09 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2GLQ9s4013544; Wed, 16 Mar 2005 13:26:09 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from salvelinus.brooktrout.com (salvelinus.brooktrout.com [204.176.205.6]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GLQ8Eb013533 for <ietf-openpgp@imc.org>; Wed, 16 Mar 2005 13:26:08 -0800 (PST) (envelope-from eburger@brooktrout.com) Received: from nhmail2.needham.brooktrout.com (nhmail2.brooktrout.com [204.176.205.242]) by salvelinus.brooktrout.com (8.12.5/8.12.5) with ESMTP id j2GLNJHD023172; Wed, 16 Mar 2005 16:23:19 -0500 (EST) Received: by nhmail2.brooktrout.com with Internet Mail Service (5.5.2653.19) id <GZABLCSY>; Wed, 16 Mar 2005 16:19:18 -0500 Message-ID: <EDD694D47377D7119C8400D0B77FD3310124CD70@nhmail2.brooktrout.com> From: Eric Burger <eburger@brooktrout.com> To: Ingo Luetkebohle <ingo@fargonauten.de> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: RE: Split Implementations of PGP Date: Wed, 16 Mar 2005 16:19:17 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Forward without download: I've got a 100MB document and a piece of text saying, "here is the very important document you need to send to foo". I *chose* to trust the server, this time, to decrypt the message for me and tell me the body structure (a big document and a piece of text). I download the text, and I decide to forward the document. I tell the server to do the forwarding for me on my behalf. Note that I *chose* to trust the server FOR THIS MESSAGE ONLY. That is why we asked the question about split implementations. It would be VERY BAD if we had to trust the server with our private key. > -----Original Message----- > From: owner-ietf-openpgp@mail.imc.org > [mailto:owner-ietf-openpgp@mail.imc.org]On Behalf Of Ingo Luetkebohle > Sent: Wednesday, March 16, 2005 8:14 AM > To: Jon Callas > Cc: OpenPGP > Subject: Re: Split Implementations of PGP > > > > Am Mittwoch, den 16.03.2005, 01:46 -0800 schrieb Jon Callas: > > Something that would help those of us doing crypto and IMAP > would be > > for IMAP to be less fussy about message size. > > [...] > > It would be very usefull, for me at least, if you could re-state your > use-case here. I'm getting the impression that I'm missing something > fundamental. > > I'm always reading about server-side decryption. Some people seem to > see it as a solution for the "one big chunk of ciphertext" > problem. I'm > not sure what else it would be good for. > > For me, server-side decryption is a nightmare. Pure and evil. > > It conflicts with my beliefs about how an end-to-end crypto solution > should work. Its not a solution, its a kludge and I'd much rather > address the *real* problem. > > The server is completely untrusted. Much too much of my personal data > is on other's servers already. Organizations or people, who > might have > different priorities in protecting it than I have. Thats why I use > end-to-end encryption when it matters. > > If people say, adressing the real problem would require > influencing the > senders behaviour, and we can't do that, and so we need a work-around > now -- fine. I can understand that. But still, shouldn't that prompt > us to think about wether we *need* to be able to influence the senders > behaviour in more ways than we can now? > > > P.S. Regarding IMAP and message sizes: If I get an encrypted message, > the size of the attachment *is* the message size. That decryption > yields a different size doesn't matter because it occurs on > the client, > after download. > > Regards > > -- > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GDu7te072374; Wed, 16 Mar 2005 05:56:07 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2GDu7mU072373; Wed, 16 Mar 2005 05:56:07 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.ciphirelabs.net (mx1.ciphirelabs.net [217.72.114.64]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GDu5bO072349 for <ietf-openpgp@imc.org>; Wed, 16 Mar 2005 05:56:07 -0800 (PST) (envelope-from lars@evildoer.de) Received: from dejavu.usr.sek.int.muc.leogic.com (ciphirelabs.net [217.72.114.248]) by mx1.ciphirelabs.net (Postfix) with ESMTP id 37766CA4114; Wed, 16 Mar 2005 13:56:02 +0000 (UTC) Received: by dejavu.ciphirelabs.com with esmtp (Exim 3.35 #1 (Debian)) id 1DBZ0B-0004sR-00; Wed, 16 Mar 2005 14:55:59 +0100 Date: Wed, 16 Mar 2005 14:55:59 +0100 From: Lars Eilebrecht <lars@evildoer.de> To: Ingo Luetkebohle <ingo@fargonauten.de> Cc: Jon Callas <jon@callas.org>, OpenPGP <ietf-openpgp@imc.org> Subject: Re: Split Implementations of PGP Message-ID: <20050316145559.2c259716@dejavu.usr.sek.int.muc.leogic.com> In-Reply-To: <1110978861.12293.20.camel@chagall.TechFak.Uni-Bielefeld.DE> References: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> <EC2C527917F2F8527033F0BB@ninevah.cyrusoft.com> <2234e811fef83c145481fec93d8350c1@callas.org> <1110978861.12293.20.camel@chagall.TechFak.Uni-Bielefeld.DE> X-Mailer: Sylpheed-Claws 1.0.1 (GTK+ 1.2.10; i386-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> According to Ingo: > P.S. Regarding IMAP and message sizes: If I get an encrypted message, > the size of the attachment *is* the message size. That decryption > yields a different size doesn't matter because it occurs on the client, > after download. I assume Jon is talking about on-the-fly decryption of incoming messages, i.e., when the decryption happens before the data hits the MUA? A MUA usually includes the size of an 'object' in a request and only expect that many bytes in the response. However, the size after decryption is almost always different. IMHO, this is not directly an issue with IMAP, but with the actual implementation/interpretation of IMAP. The message size handling is just one of the issues with IMAP ... e.g., think about bodystructure requests and on-the-fly decryption. But I have to admit that I'm not sure what this has to do with the original topic of this thread? :-) ciao... -- Lars Eilebrecht lars@eilebrecht.net Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GDEklA065377; Wed, 16 Mar 2005 05:14:46 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2GDEkCh065376; Wed, 16 Mar 2005 05:14:46 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailout.TechFak.Uni-Bielefeld.DE (mailout.TechFak.Uni-Bielefeld.DE [129.70.136.245]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2GDEiRh065355 for <ietf-openpgp@imc.org>; Wed, 16 Mar 2005 05:14:44 -0800 (PST) (envelope-from ingo@fargonauten.de) Received: from chagall.TechFak.Uni-Bielefeld.DE (chagall.TechFak.Uni-Bielefeld.DE [129.70.139.44]) by momotombo.TechFak.Uni-Bielefeld.DE (8.12.11/8.12.11/TechFak/2005/03/01/sjaenick) with ESMTP id j2GDELpp018902 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 16 Mar 2005 14:14:23 +0100 (MET) Subject: Re: Split Implementations of PGP From: Ingo Luetkebohle <ingo@fargonauten.de> To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> In-Reply-To: <2234e811fef83c145481fec93d8350c1@callas.org> References: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> <EC2C527917F2F8527033F0BB@ninevah.cyrusoft.com> <2234e811fef83c145481fec93d8350c1@callas.org> Content-Type: text/plain Date: Wed, 16 Mar 2005 14:14:21 +0100 Message-Id: <1110978861.12293.20.camel@chagall.TechFak.Uni-Bielefeld.DE> Mime-Version: 1.0 X-Mailer: Evolution 2.0.0 Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Am Mittwoch, den 16.03.2005, 01:46 -0800 schrieb Jon Callas: > Something that would help those of us doing crypto and IMAP would be > for IMAP to be less fussy about message size. [...] It would be very usefull, for me at least, if you could re-state your use-case here. I'm getting the impression that I'm missing something fundamental. I'm always reading about server-side decryption. Some people seem to see it as a solution for the "one big chunk of ciphertext" problem. I'm not sure what else it would be good for. For me, server-side decryption is a nightmare. Pure and evil. It conflicts with my beliefs about how an end-to-end crypto solution should work. Its not a solution, its a kludge and I'd much rather address the *real* problem. The server is completely untrusted. Much too much of my personal data is on other's servers already. Organizations or people, who might have different priorities in protecting it than I have. Thats why I use end-to-end encryption when it matters. If people say, adressing the real problem would require influencing the senders behaviour, and we can't do that, and so we need a work-around now -- fine. I can understand that. But still, shouldn't that prompt us to think about wether we *need* to be able to influence the senders behaviour in more ways than we can now? P.S. Regarding IMAP and message sizes: If I get an encrypted message, the size of the attachment *is* the message size. That decryption yields a different size doesn't matter because it occurs on the client, after download. Regards -- "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2G9jaBD092528; Wed, 16 Mar 2005 01:45:36 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2G9jaT3092527; Wed, 16 Mar 2005 01:45:36 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2G9jZ7k092513 for <ietf-openpgp@imc.org>; Wed, 16 Mar 2005 01:45:35 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6) for <ietf-openpgp@imc.org>; Wed, 16 Mar 2005 01:45:29 -0800 Received: from [63.73.97.189] ([63.73.97.189]) by keys.merrymeet.com (PGP Universal service); Wed, 16 Mar 2005 01:45:29 -0800 X-PGP-Universal: processed; by keys.merrymeet.com on Wed, 16 Mar 2005 01:45:29 -0800 Mime-Version: 1.0 (Apple Message framework v619.2) In-Reply-To: <EC2C527917F2F8527033F0BB@ninevah.cyrusoft.com> References: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> <EC2C527917F2F8527033F0BB@ninevah.cyrusoft.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <2234e811fef83c145481fec93d8350c1@callas.org> Content-Transfer-Encoding: 7bit From: Jon Callas <jon@callas.org> Subject: Re: Split Implementations of PGP Date: Wed, 16 Mar 2005 01:46:37 -0800 To: OpenPGP <ietf-openpgp@imc.org> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Something that would help those of us doing crypto and IMAP would be for IMAP to be less fussy about message size. We have the problem that while SMTP and POP consider size information about a message to be advisory, IMAP considers it to be definitive. When you have a message that is compressed, encrypted, signed, base64 encoded, put into quoted-printable, etc., it can be very hard to answer the question, "How big is that message?" definitively. While POP, for example, will accept the answer "Um, around 15K" and copes just fine with the real answer being either 3K or 50K, IMAP does not. The IMAP client will expect the size reported to be accurate down to the byte. If there is more, the client will never ask for it, and if there's less, the client hyperventilates and breaks down sobbing. If there is anything that further work on IMAP, be it Lemonade, or anything else does that could help security, it would be to break IMAP's prissiness about message length. The main advantage that this sesson-key decrypting protocol has is that it exposes the server to relatively little of the actual plaintext. However, while this is a theoretic benefit, the practical benefit is lessened by the length requirements. Let's suppose I connect to my server and have ten new messages, all of which are encrypted, say five with OpenPGP and five with S/MIME. My client program is going to display the lengths of the messages, but that isn't knowable without decrypting them. So immediately with the headers, all ten of those messages have to be decrypted and processed so that the lengths will be accurate. This slows the system down, because it requires a complete round-trip of session key decryption for each message as well as preliminary processing of the message on the server. If that client program is a mobile device, this is especially bad because the heavy lifting (the public key crypto) is being done on the light device, and the easy lifting (the bulk crypto processing) is being done on the powerful device. What happens is that this architecture maximally slows the email processing down, with relatively low security gains, because the server has gotten the session key for all ten messages, even though I've read exactly zero of them. I'd like to see a change to IMAP that allows for the message's length to be advisory until it's actually read. It's relatively easy to do -- you have to have a way to ask the server simply, "Is there more?" as well as the server to be able to return a short (even zero-length) glob of message text. This gives a slightly counter-intuitive display on the client. I might look at a list of messages and see that one is 8K long, and when I read that message its length updates to 13K. But in return, we'd be able to defer the cryptography to when a message is actually read, rather than when it enters my inbox. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2G0f6Vb076139; Tue, 15 Mar 2005 16:41:06 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2G0f6vo076138; Tue, 15 Mar 2005 16:41:06 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2G0f5dM076131 for <ietf-openpgp@imc.org>; Tue, 15 Mar 2005 16:41:05 -0800 (PST) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id E95FB33C45; Wed, 16 Mar 2005 00:41:03 +0000 (GMT) Message-ID: <423780A0.40903@algroup.co.uk> Date: Wed, 16 Mar 2005 00:41:04 +0000 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jon Callas <jon@callas.org> Cc: Ingo Luetkebohle <ingo@fargonauten.de>, ietf-openpgp@imc.org, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> Subject: Re: Split Implementations of PGP References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> In-Reply-To: <4a49e21cbfe5082388d5a7186dcfc089@callas.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > > On 12 Mar 2005, at 3:24 AM, Ingo Luetkebohle wrote: > >> Even better would be to have individually encrypted parts. This is >> possible with PGP/MIME but not current practice. Trouble being, of >> course, that the sender would have to know this is in advance. >> > > Better for whom? > > One of the reasons that practice is to not have individually encrypted > parts is that that has not been considered as good, meaning not as > secure. It isn't as convenient for an entity who doesn't have the keys > to process such a message, and that's been considered a feature rather > than a bug. I'm struggling to understand this - how does this make it any easier for an attacker? (Other than log_2(n), where n is the number of parts, for the brute force attack). -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2FNdNfo071071; Tue, 15 Mar 2005 15:39:23 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2FNdNDN071070; Tue, 15 Mar 2005 15:39:23 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-relay1.uni-bielefeld.de (IDENT:72@smtp-relay1.uni-bielefeld.de [129.70.4.97]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2FNdL0a071062 for <ietf-openpgp@imc.org>; Tue, 15 Mar 2005 15:39:21 -0800 (PST) (envelope-from ingo@fargonauten.de) Received: from pmxchannel-daemon.mail1.hrz.uni-bielefeld.de by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) id <0IDF00G0431K8R@mail1.hrz.uni-bielefeld.de> for ietf-openpgp@imc.org; Wed, 16 Mar 2005 00:39:20 +0100 (MET) Received: from DINAFSC.dhcp.lcl.studentenwerk-bielefeld.de (DINAFSC.dhcp.lcl.studentenwerk-bielefeld.de [10.128.53.38]) by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTPS id <0IDF003S731JHY@mail1.hrz.uni-bielefeld.de>; Wed, 16 Mar 2005 00:39:19 +0100 (MET) Date: Wed, 16 Mar 2005 00:39:37 +0100 From: Ingo Luetkebohle <ingo@fargonauten.de> Subject: Re: Split Implementations of PGP In-reply-to: <4a49e21cbfe5082388d5a7186dcfc089@callas.org> To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> Message-id: <1110929977.5109.285.camel@localhost.localdomain> MIME-version: 1.0 X-Mailer: Evolution 2.0.2 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-uY1zi1JcW4FR5eDTVwcZ" X-Spam-Level: X-UniBi-Spam-Level: , 7% X-UniBi-Spam-Rules: __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_VERSION 0, __SANE_MSGID 0 X-UniBi-Deliver: Tag X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.0.3.0, Antispam-Data: 2005.3.15.16, vscan4.hrz.uni-bielefeld.de References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> <4a49e21cbfe5082388d5a7186dcfc089@callas.org> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-uY1zi1JcW4FR5eDTVwcZ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Dienstag, den 15.03.2005, 12:12 -0800 schrieb Jon Callas: > Better for whom? Better for a recipient who, for whatever reasons, does not want to transfer the whole for decryption. > One of the reasons that practice is to not have individually encrypted=20 > parts is that that has not been considered as good, meaning not as=20 > secure. It isn't as convenient for an entity who doesn't have the keys=20 > to process such a message, and that's been considered a feature rather=20 > than a bug. I concur -- for the usual case. However, whats better in the case under discussion: Decrypting the full thing on a machine not under your control and then transferring only what you can afford, or transfer it (encrypted) and decrypt it on the local machine (mobile device)? For this case, I'd say the latter is preferable. Maybe I'm paranoid about server security but isn't that why we're using PGP-based end-to-end encryption? regards Ingo --=-uY1zi1JcW4FR5eDTVwcZ Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCN3I5zZDBZDStzlsRAo2/AKCQVqRBqXMtnZ19c+Ny+4WZeOnbEQCeP3AG 1P7u0dq7GISTF/kb1jwx8CA= =Cc26 -----END PGP SIGNATURE----- --=-uY1zi1JcW4FR5eDTVwcZ-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2FKBeoD050690; Tue, 15 Mar 2005 12:11:40 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2FKBea2050688; Tue, 15 Mar 2005 12:11:40 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2FKBbH6050675 for <ietf-openpgp@imc.org>; Tue, 15 Mar 2005 12:11:37 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Tue, 15 Mar 2005 12:11:35 -0800 Received: from [63.73.97.189] ([63.73.97.189]) by keys.merrymeet.com (PGP Universal service); Tue, 15 Mar 2005 12:11:35 -0800 X-PGP-Universal: processed; by keys.merrymeet.com on Tue, 15 Mar 2005 12:11:35 -0800 In-Reply-To: <1110626690.5109.168.camel@localhost.localdomain> References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> <1110626690.5109.168.camel@localhost.localdomain> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <4a49e21cbfe5082388d5a7186dcfc089@callas.org> Content-Transfer-Encoding: 7bit Cc: ietf-openpgp@imc.org, Cyrus Daboo <daboo@isamet.com>, Eric Burger <eburger@brooktrout.com> From: Jon Callas <jon@callas.org> Subject: Re: Split Implementations of PGP Date: Tue, 15 Mar 2005 12:12:33 -0800 To: Ingo Luetkebohle <ingo@fargonauten.de> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 12 Mar 2005, at 3:24 AM, Ingo Luetkebohle wrote: > Even better would be to have individually encrypted parts. This is > possible with PGP/MIME but not current practice. Trouble being, of > course, that the sender would have to know this is in advance. > Better for whom? One of the reasons that practice is to not have individually encrypted parts is that that has not been considered as good, meaning not as secure. It isn't as convenient for an entity who doesn't have the keys to process such a message, and that's been considered a feature rather than a bug. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2F8NmfE010022; Tue, 15 Mar 2005 00:23:48 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2F8Nm10010021; Tue, 15 Mar 2005 00:23:48 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpa.itss.auckland.ac.nz (groucho.itss.auckland.ac.nz [130.216.190.11]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2F8Ne0h009963 for <ietf-openpgp@imc.org>; Tue, 15 Mar 2005 00:23:47 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id 89FE5350A4; Tue, 15 Mar 2005 21:23:39 +1300 (NZDT) Received: from smtpa.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpa.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26116-03; Tue, 15 Mar 2005 21:23:39 +1300 (NZDT) Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpa.itss.auckland.ac.nz (Postfix) with ESMTP id B095834C7C; Tue, 15 Mar 2005 21:23:37 +1300 (NZDT) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id A79683774B; Tue, 15 Mar 2005 21:23:37 +1300 (NZDT) Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1DB7L6-0003PA-00; Tue, 15 Mar 2005 21:23:44 +1300 From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: eburger@brooktrout.com, ietf-openpgp@imc.org, pgut001@cs.auckland.ac.nz Subject: RE: Split Implementations of PGP Cc: gparsons@nortelnetworks.com In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125DB2@nhmail2.brooktrout.com> Message-Id: <E1DB7L6-0003PA-00@medusa01.cs.auckland.ac.nz> Date: Tue, 15 Mar 2005 21:23:44 +1300 X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Eric Burger <eburger@brooktrout.com> writes: >The problem is that the client does not want to download the object at all, >either because they only want to look at a particular body part and the >entire message is encrypted (Cyrus' example) or they wish to forward the >message without downloading it to their client. You don't download it, the server sends out the RSA/Elgamal-encrypted message encryption key (MEK) from the message (and nothing else) and the client returns the MEK re-encrypted with the server's public key. This works with anything (including for example crypto hardware like smart cards that won't reveal a key), has minimal messaging overhead, and doesn't require any additional security measures to protect the MEK. Peter. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2DMUceb076270; Sun, 13 Mar 2005 14:30:38 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2DMUcOg076269; Sun, 13 Mar 2005 14:30:38 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from salvelinus.brooktrout.com (salvelinus.brooktrout.com [204.176.205.6]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2DMUX8X076228 for <ietf-openpgp@imc.org>; Sun, 13 Mar 2005 14:30:33 -0800 (PST) (envelope-from eburger@brooktrout.com) Received: from nhmail2.needham.brooktrout.com (nhmail2.brooktrout.com [204.176.205.242]) by salvelinus.brooktrout.com (8.12.5/8.12.5) with ESMTP id j2DMSHDL008690; Sun, 13 Mar 2005 17:28:17 -0500 (EST) Received: by nhmail2.brooktrout.com with Internet Mail Service (5.5.2653.19) id <GZABLBC5>; Sun, 13 Mar 2005 17:24:18 -0500 Message-ID: <EDD694D47377D7119C8400D0B77FD33101125DB3@nhmail2.brooktrout.com> From: Eric Burger <eburger@brooktrout.com> To: Ingo Luetkebohle <ingo@fargonauten.de> Cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com>, "Stephane Maes (E-mail)" <stephane.maes@oracle.com> Subject: RE: Split Implementations of PGP Date: Sun, 13 Mar 2005 17:24:16 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> The problem is we cannot change sender behavior. If we could, we would simply say, "Send the message encrypted with both the client's and IMAP server's key." That way, the server already would be a recipient. I do like the idea of being a model of good behavior. We should put that into the lemonade profile. > -----Original Message----- > From: Ingo Luetkebohle [mailto:ingo@fargonauten.de] > Sent: Saturday, March 12, 2005 6:25 AM > To: Cyrus Daboo > Cc: ietf-openpgp@imc.org; Eric Burger > Subject: Re: Split Implementations of PGP > > > Am Freitag, den 11.03.2005, 22:08 -0500 schrieb Cyrus Daboo: > > A better solution would be to have the message decrypted on > the server and > > stored in its unencrypted form with multiple parts - then > the client can > > fetch just the text. > > Even better would be to have individually encrypted parts. This is > possible with PGP/MIME but not current practice. Trouble being, of > course, that the sender would have to know this is in advance. > > It is one more example of the sender having to know what the receiver > requires without a good means of finding out. > > So far, these things have been mere nuisances but the > suggested solution > is clearly a big step down in security. I do not know an > answer but it > might be interesting to think about the bigger picture for > once and come > up with something this simple, yet flexible enough. > > In any case, I would suggest for implementors of the server-based > decryption to re-format the message into multiple > individually encrypted > parts instead of just storing decrypted messages -- smaller window of > attack. > > Ingo > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2DMUPUq076203; Sun, 13 Mar 2005 14:30:25 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2DMUPQc076202; Sun, 13 Mar 2005 14:30:25 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from salvelinus.brooktrout.com (salvelinus.brooktrout.com [204.176.205.6]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2DMUOlZ076192 for <ietf-openpgp@imc.org>; Sun, 13 Mar 2005 14:30:24 -0800 (PST) (envelope-from eburger@brooktrout.com) Received: from nhmail2.needham.brooktrout.com (nhmail2.brooktrout.com [204.176.205.242]) by salvelinus.brooktrout.com (8.12.5/8.12.5) with ESMTP id j2DMSFDL008689; Sun, 13 Mar 2005 17:28:19 -0500 (EST) Received: by nhmail2.brooktrout.com with Internet Mail Service (5.5.2653.19) id <GZABLBCZ>; Sun, 13 Mar 2005 17:24:16 -0500 Message-ID: <EDD694D47377D7119C8400D0B77FD33101125DB2@nhmail2.brooktrout.com> From: Eric Burger <eburger@brooktrout.com> To: pgut001 <pgut001@cs.auckland.ac.nz>, ietf-openpgp@imc.org Cc: gparsons@nortelnetworks.com Subject: RE: Split Implementations of PGP Date: Sun, 13 Mar 2005 17:24:15 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> The problem is that the client does not want to download the object at all, either because they only want to look at a particular body part and the entire message is encrypted (Cyrus' example) or they wish to forward the message without downloading it to their client. > -----Original Message----- > From: pgut001 [mailto:pgut001@cs.auckland.ac.nz] > Sent: Saturday, March 12, 2005 10:34 PM > To: eburger@brooktrout.com; ietf-openpgp@imc.org > Cc: gparsons@nortelnetworks.com > Subject: Re: Split Implementations of PGP > > > Eric Burger <eburger@brooktrout.com> writes: > > >So, the question is, are there implementations of PGP where one can: > >1. Extract the encrypted session key from the PGP-encrypted object > >2. An API for handing over the encrypted session key and the > client key, > >returning the clear session key (this would run on the > remote client). > >3. An API that takes the clear session key and the > PGP-encrypted object and > >returns the cleartext object. > > Why not have the client decrypt the session key, re-encrypt > it with the > server's public key, and send it back? Any version of PGP > supports this, and > it solves the difficult problem of "an API for [...] the > client returning the > session key". > > Peter. > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2D3XwjC070987; Sat, 12 Mar 2005 19:33:58 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2D3Xwrl070986; Sat, 12 Mar 2005 19:33:58 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpc.itss.auckland.ac.nz (harpo.itss.auckland.ac.nz [130.216.190.13]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2D3XqdP070976 for <ietf-openpgp@imc.org>; Sat, 12 Mar 2005 19:33:53 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtpc.itss.auckland.ac.nz (Postfix) with ESMTP id 3558B34C13; Sun, 13 Mar 2005 16:33:50 +1300 (NZDT) Received: from smtpc.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpc.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28301-17; Sun, 13 Mar 2005 16:33:50 +1300 (NZDT) Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpc.itss.auckland.ac.nz (Postfix) with ESMTP id 4C148349A2; Sun, 13 Mar 2005 16:33:48 +1300 (NZDT) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 1143A37743; Sun, 13 Mar 2005 16:33:48 +1300 (NZDT) Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1DAJrU-0008W0-00; Sun, 13 Mar 2005 16:33:52 +1300 From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: eburger@brooktrout.com, ietf-openpgp@imc.org Subject: Re: Split Implementations of PGP Cc: gparsons@nortelnetworks.com In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> Message-Id: <E1DAJrU-0008W0-00@medusa01.cs.auckland.ac.nz> Date: Sun, 13 Mar 2005 16:33:52 +1300 X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Eric Burger <eburger@brooktrout.com> writes: >So, the question is, are there implementations of PGP where one can: >1. Extract the encrypted session key from the PGP-encrypted object >2. An API for handing over the encrypted session key and the client key, >returning the clear session key (this would run on the remote client). >3. An API that takes the clear session key and the PGP-encrypted object and >returns the cleartext object. Why not have the client decrypt the session key, re-encrypt it with the server's public key, and send it back? Any version of PGP supports this, and it solves the difficult problem of "an API for [...] the client returning the session key". Peter. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2CE8eim045475; Sat, 12 Mar 2005 06:08:40 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2CE8d52045474; Sat, 12 Mar 2005 06:08:39 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from darius.cyrusoft.com (darius.cyrusoft.com [63.163.82.2]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2CE8N4A045448 for <ietf-openpgp@imc.org>; Sat, 12 Mar 2005 06:08:28 -0800 (PST) (envelope-from daboo@isamet.com) Received: from [10.0.1.5] (pool-68-162-179-106.pitt.east.verizon.net [68.162.179.106]) (authenticated bits=0) by darius.cyrusoft.com (8.12.9/8.12.9) with ESMTP id j2CDtI6g000710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 12 Mar 2005 08:55:19 -0500 Date: Sat, 12 Mar 2005 09:08:11 -0500 From: Cyrus Daboo <daboo@isamet.com> To: Bill Frantz <frantz@pwpconsult.com> cc: Eric Burger <eburger@brooktrout.com>, ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> Subject: Re: Split Implementations of PGP Message-ID: <EC2C527917F2F8527033F0BB@ninevah.cyrusoft.com> In-Reply-To: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> References: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> X-Mailer: Mulberry/3.2.0a1 (Linux/PPC) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Spam-Status: No, hits=0.0 tests=none Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi Bill, --On Friday, March 11, 2005 10:15:01 PM -0800 Bill Frantz <frantz@pwpconsult.com> wrote: > Thanks for the clear explanation. While perhaps out of scope here, I > certainly hope that the link between the client and the IMAP server is > secured. The idea of a message that the sender thought needed to be > encrypted, being sent out in the clear, over a cell phone transmitter, is > a bit disquieting. Agreed, TLS or mobile equivalent would have to be used. In addition you also have to have more trust in your server (or more accurately your server admin or whoever has 'root' access to the server) as a clear-text version of the message will be stored there, even if only on a temporary basis. -- Cyrus Daboo Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2CBTdsI099153; Sat, 12 Mar 2005 03:29:39 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2CBTdFf099152; Sat, 12 Mar 2005 03:29:39 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-relay1.uni-bielefeld.de (IDENT:72@smtp-relay1.uni-bielefeld.de [129.70.4.97]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2CBTPg9099048 for <ietf-openpgp@imc.org>; Sat, 12 Mar 2005 03:29:30 -0800 (PST) (envelope-from ingo@fargonauten.de) Received: from pmxchannel-daemon.mail1.hrz.uni-bielefeld.de by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) id <0ID800D04L0Q19@mail1.hrz.uni-bielefeld.de> for ietf-openpgp@imc.org; Sat, 12 Mar 2005 12:24:26 +0100 (MET) Received: from Laptop-udp4452615uds.dhcp.lcl.studentenwerk-bielefeld.de (Laptop-udp4452615uds.dhcp.lcl.studentenwerk-bielefeld.de [10.128.53.9]) by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTPS id <0ID8007NUL0QPU@mail1.hrz.uni-bielefeld.de>; Sat, 12 Mar 2005 12:24:26 +0100 (MET) Date: Sat, 12 Mar 2005 12:24:50 +0100 From: Ingo Luetkebohle <ingo@fargonauten.de> Subject: Re: Split Implementations of PGP In-reply-to: <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> To: Cyrus Daboo <daboo@isamet.com> Cc: ietf-openpgp@imc.org, Eric Burger <eburger@brooktrout.com> Message-id: <1110626690.5109.168.camel@localhost.localdomain> MIME-version: 1.0 X-Mailer: Evolution 2.0.2 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-lwj993Gubp9qj1/CfkJO" X-Spam-Level: X-UniBi-Spam-Level: , 7% X-UniBi-Spam-Rules: __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_VERSION 0, __SANE_MSGID 0, __cbl.abuseat.org_TIMEOUT , __dnsbl.njabl.org_TIMEOUT , __query.bondedsender.org_TIMEOUT , __sbl.spamhaus.org_TIMEOUT X-UniBi-Deliver: Tag X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.0.3.0, Antispam-Data: 2005.3.12.3, vscan2.hrz.uni-bielefeld.de References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-lwj993Gubp9qj1/CfkJO Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Freitag, den 11.03.2005, 22:08 -0500 schrieb Cyrus Daboo: > A better solution would be to have the message decrypted on the server an= d=20 > stored in its unencrypted form with multiple parts - then the client can=20 > fetch just the text. Even better would be to have individually encrypted parts. This is possible with PGP/MIME but not current practice. Trouble being, of course, that the sender would have to know this is in advance. =20 It is one more example of the sender having to know what the receiver requires without a good means of finding out. So far, these things have been mere nuisances but the suggested solution is clearly a big step down in security. I do not know an answer but it might be interesting to think about the bigger picture for once and come up with something this simple, yet flexible enough. In any case, I would suggest for implementors of the server-based decryption to re-format the message into multiple individually encrypted parts instead of just storing decrypted messages -- smaller window of attack. Ingo --=-lwj993Gubp9qj1/CfkJO Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCMtGCzZDBZDStzlsRAo+KAJ9xGRWn170t0tvgVrQjzk/ip11SsACdG98T dwKWDBS8Ni6HTPfLcs37Tok= =KHoK -----END PGP SIGNATURE----- --=-lwj993Gubp9qj1/CfkJO-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C6FLnG076150; Fri, 11 Mar 2005 22:15:21 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2C6FLgx076149; Fri, 11 Mar 2005 22:15:21 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpauth04.mail.atl.earthlink.net (smtpauth04.mail.atl.earthlink.net [209.86.89.64]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C6F5XI076014 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 22:15:10 -0800 (PST) (envelope-from frantz@pwpconsult.com) Received: from [68.164.80.103] (helo=[192.168.1.5]) by smtpauth04.mail.atl.earthlink.net with asmtp (Exim 4.34) id 1D9ztw-00055x-CS; Sat, 12 Mar 2005 01:15:04 -0500 Date: Fri, 11 Mar 2005 22:15:01 -0800 From: Bill Frantz <frantz@pwpconsult.com> Subject: Re: Split Implementations of PGP To: Cyrus Daboo <daboo@isamet.com> cc: Eric Burger <eburger@brooktrout.com>, ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> X-Priority: 3 In-Reply-To: <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> Message-ID: <r02010400-1038-120DB24D92BE11D9AA730030658F0F64@[192.168.1.5]> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Mailer: Mailsmith 2.1.4 (Blindsider) X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec7965b52aa7ef358aea37a175cf150b07dc350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 68.164.80.103 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j2C6FAXI076055 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 3/11/05, daboo@isamet.com (Cyrus Daboo) wrote: >Consider the case of a message with a small text part and a large >attachment. On your mobile device you might want to only read the text >without paying the penalty of downloading the attachment. If the message >data is unencrypted the client can use the IMAP protocol to download only >the text part. However, if the message is encrypted in one single >multipart/encrypted part, then the client has to download all the data in >order to decrypt and extract only the text. > >... Thanks for the clear explanation. While perhaps out of scope here, I certainly hope that the link between the client and the IMAP server is secured. The idea of a message that the sender thought needed to be encrypted, being sent out in the clear, over a cell phone transmitter, is a bit disquieting. Cheers - Bill ----------------------------------------------------------------------- Bill Frantz | gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C38qq7054762; Fri, 11 Mar 2005 19:08:52 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2C38qK8054761; Fri, 11 Mar 2005 19:08:52 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from darius.cyrusoft.com (darius.cyrusoft.com [63.163.82.2]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C38aZP054715 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 19:08:40 -0800 (PST) (envelope-from daboo@isamet.com) Received: from [10.0.1.5] (pool-68-162-179-106.pitt.east.verizon.net [68.162.179.106]) (authenticated bits=0) by darius.cyrusoft.com (8.12.9/8.12.9) with ESMTP id j2C2tY6g022357 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Mar 2005 21:55:35 -0500 Date: Fri, 11 Mar 2005 22:08:23 -0500 From: Cyrus Daboo <daboo@isamet.com> To: Bill Frantz <frantz@pwpconsult.com>, Eric Burger <eburger@brooktrout.com> cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> Subject: Re: Split Implementations of PGP Message-ID: <A42DC28ADB704E5998A56480@ninevah.cyrusoft.com> In-Reply-To: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> References: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> X-Mailer: Mulberry/3.2.0a1 (Linux/PPC) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Spam-Status: No, hits=0.0 tests=none Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi Bill, --On Friday, March 11, 2005 05:15:02 PM -0800 Bill Frantz <frantz@pwpconsult.com> wrote: > I understand, from Derek's draft minutes of the OpenPGP meeting, that the > problem is that the remote client is in a low-bandwidth environment, such > as a cell phone. I understand this statement to mean that the > communication link is low bandwidth. However, PGP encrypted messages are > close to the size of the corrisponding plain text, so I don't see how > having an IMAP server decrypt the message is going to help. > > If, on another hand, the remote client is limited in CPU power, this > system seems to place the largest CPU load, the public key operation to > extract the plain text key, on the client, and the relatively low CPU > load of the private key operations to decrypt the message on the IMAP > server. > > I conclude from this reasoning that I don't understand the problem. > Could you please explain. Consider the case of a message with a small text part and a large attachment. On your mobile device you might want to only read the text without paying the penalty of downloading the attachment. If the message data is unencrypted the client can use the IMAP protocol to download only the text part. However, if the message is encrypted in one single multipart/encrypted part, then the client has to download all the data in order to decrypt and extract only the text. A better solution would be to have the message decrypted on the server and stored in its unencrypted form with multiple parts - then the client can fetch just the text. Same principal applies for a message that is only signed, and the mobile device wants to read only the text part, but verify the signature. There are similar considerations for the client when it wants to create a signed or encrypted message with parts that already reside on the server. -- Cyrus Daboo Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C1FFWK047418; Fri, 11 Mar 2005 17:15:15 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2C1FFvC047417; Fri, 11 Mar 2005 17:15:15 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpauth07.mail.atl.earthlink.net (smtpauth07.mail.atl.earthlink.net [209.86.89.67]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C1F5rm047406 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 17:15:10 -0800 (PST) (envelope-from frantz@pwpconsult.com) Received: from [68.164.80.103] (helo=[192.168.1.5]) by smtpauth07.mail.atl.earthlink.net with asmtp (Exim 4.34) id 1D9vDc-0000vN-W1; Fri, 11 Mar 2005 20:15:05 -0500 Date: Fri, 11 Mar 2005 17:15:02 -0800 From: Bill Frantz <frantz@pwpconsult.com> Subject: Re: Split Implementations of PGP To: Eric Burger <eburger@brooktrout.com> cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> X-Priority: 3 In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> Message-ID: <r02010400-1038-29AD9710929411D9AA730030658F0F64@[192.168.1.5]> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Mailer: Mailsmith 2.1.4 (Blindsider) X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec7951e3a6a0e794d4215a372228129949b6350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 68.164.80.103 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j2C1FArm047408 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 3/11/05, eburger@brooktrout.com (Eric Burger) wrote: > >Background: >I am a co-chair of the lemonade work group in the IETF ><http://www.ietf.org/html.charters/lemonade-charter.html>. > >One thing we would like to do is enable a remote client to fetch the >encrypted session key from an IMAP server, decrypt the key using the >client's key, and then handing back the clear session key to the IMAP server >to decrypt or verify a message or body part. I understand, from Derek's draft minutes of the OpenPGP meeting, that the problem is that the remote client is in a low-bandwidth environment, such as a cell phone. I understand this statement to mean that the communication link is low bandwidth. However, PGP encrypted messages are close to the size of the corrisponding plain text, so I don't see how having an IMAP server decrypt the message is going to help. If, on another hand, the remote client is limited in CPU power, this system seems to place the largest CPU load, the public key operation to extract the plain text key, on the client, and the relatively low CPU load of the private key operations to decrypt the message on the IMAP server. I conclude from this reasoning that I don't understand the problem. Could you please explain. Thanks - Bill ----------------------------------------------------------------------- Bill Frantz | gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C05XMN040100; Fri, 11 Mar 2005 16:05:33 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2C05XSC040097; Fri, 11 Mar 2005 16:05:33 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2C05PM2040086 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 16:05:25 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Fri, 11 Mar 2005 16:05:20 -0800 Received: from [192.168.2.164] ([63.251.255.85]) by keys.merrymeet.com (PGP Universal service); Fri, 11 Mar 2005 16:05:19 -0800 X-PGP-Universal: processed In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> References: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <226f8c4e1ec7f99ea900b13d8cd8ca89@callas.org> Content-Transfer-Encoding: 7bit Cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> From: Jon Callas <jon@callas.org> Subject: Re: Split Implementations of PGP Date: Fri, 11 Mar 2005 16:06:21 -0800 To: Eric Burger <eburger@brooktrout.com> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> We can also do this at PGP Corporation, as well. Not a problem. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BIX76H016282; Fri, 11 Mar 2005 10:33:07 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2BIX7qU016281; Fri, 11 Mar 2005 10:33:07 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BIX6wE016271 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 10:33:06 -0800 (PST) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com ([24.60.132.70]) by comcast.net (rwcrmhc11) with ESMTP id <2005031118325901300okov5e>; Fri, 11 Mar 2005 18:32:59 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id j2BIWxsh003314; Fri, 11 Mar 2005 13:32:59 -0500 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j2BIWupK024508; Fri, 11 Mar 2005 13:32:56 -0500 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j2BIWurh024507; Fri, 11 Mar 2005 13:32:56 -0500 Date: Fri, 11 Mar 2005 13:32:56 -0500 From: David Shaw <dshaw@jabberwocky.com> To: Eric Burger <eburger@brooktrout.com> Cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> Subject: Re: Split Implementations of PGP Message-ID: <20050311183256.GB24254@jabberwocky.com> Mail-Followup-To: Eric Burger <eburger@brooktrout.com>, ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> References: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, Mar 11, 2005 at 12:04:59PM -0500, Eric Burger wrote: > > Background: > I am a co-chair of the lemonade work group in the IETF > <http://www.ietf.org/html.charters/lemonade-charter.html>. > > One thing we would like to do is enable a remote client to fetch the > encrypted session key from an IMAP server, decrypt the key using the > client's key, and then handing back the clear session key to the IMAP server > to decrypt or verify a message or body part. > > So, the question is, are there implementations of PGP where one can: > 1. Extract the encrypted session key from the PGP-encrypted object > 2. An API for handing over the encrypted session key and the client key, > returning the clear session key (this would run on the remote client). > 3. An API that takes the clear session key and the PGP-encrypted object and > returns the cleartext object. > > Note that this is different from the normal case of an API that takes the > client's key and the PGP-encrypted object and simply returns the cleartext > object. GnuPG can do this. The feature was originally intended as a workaround for places that have laws about compelled production of keys, but it can be used for what you discuss. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BIKW89015220; Fri, 11 Mar 2005 10:20:32 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2BIKWfD015219; Fri, 11 Mar 2005 10:20:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BIKQRS015181 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 10:20:31 -0800 (PST) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.34 #1 (Debian)) id 1D9odA-0004KR-Lq for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 19:13:00 +0100 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1D9ogr-0001Gv-8J; Fri, 11 Mar 2005 19:16:49 +0100 To: Eric Burger <eburger@brooktrout.com> Cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> Subject: Re: Split Implementations of PGP References: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Fri, 11 Mar 2005 19:16:49 +0100 In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> (Eric Burger's message of "Fri, 11 Mar 2005 12:04:59 -0500") Message-ID: <87wtsedp4e.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, 11 Mar 2005 12:04:59 -0500, Eric Burger said: > So, the question is, are there implementations of PGP where one can: > 1. Extract the encrypted session key from the PGP-encrypted object > 2. An API for handing over the encrypted session key and the client key, > returning the clear session key (this would run on the remote client). > 3. An API that takes the clear session key and the PGP-encrypted object and > returns the cleartext object. GnuPG provides this for many years. SESSION_KEY <algo>:<hexdigits> The session key used to decrypt the message. This message will only be emitted when the special option --show-session-key is used. The format is suitable to be passed to the option --override-session-key Use it together with --status-fd n. Shalom-Salam, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BHuXGB013098; Fri, 11 Mar 2005 09:56:33 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2BHuXi9013097; Fri, 11 Mar 2005 09:56:33 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BHuSlB013062 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 09:56:28 -0800 (PST) (envelope-from ben@algroup.co.uk) Received: from [IPv6???1] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 7A5C033C33; Fri, 11 Mar 2005 17:56:16 +0000 (GMT) Message-ID: <4231CD99.7000102@algroup.co.uk> Date: Fri, 11 Mar 2005 16:55:53 +0000 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0 (X11/20050106) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Eric Burger <eburger@brooktrout.com> Cc: ietf-openpgp@imc.org, "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> Subject: Re: Split Implementations of PGP References: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> In-Reply-To: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Eric Burger wrote: > Background: > I am a co-chair of the lemonade work group in the IETF > <http://www.ietf.org/html.charters/lemonade-charter.html>. > > One thing we would like to do is enable a remote client to fetch the > encrypted session key from an IMAP server, decrypt the key using the > client's key, and then handing back the clear session key to the IMAP server > to decrypt or verify a message or body part. > > So, the question is, are there implementations of PGP where one can: > 1. Extract the encrypted session key from the PGP-encrypted object > 2. An API for handing over the encrypted session key and the client key, > returning the clear session key (this would run on the remote client). > 3. An API that takes the clear session key and the PGP-encrypted object and > returns the cleartext object. > > Note that this is different from the normal case of an API that takes the > client's key and the PGP-encrypted object and simply returns the cleartext > object. > > We have heard from the S/MIME community that there are API's that allow this > functionality over S/MIME. I am currently working on an implementation that could easily include this functionality. Feel free to nag me about it. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BHBJK3008298; Fri, 11 Mar 2005 09:11:19 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2BHBJE1008297; Fri, 11 Mar 2005 09:11:19 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from salvelinus.brooktrout.com (salvelinus.brooktrout.com [204.176.205.6]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2BHBIYj008288 for <ietf-openpgp@imc.org>; Fri, 11 Mar 2005 09:11:18 -0800 (PST) (envelope-from eburger@brooktrout.com) Received: from nhmail2.needham.brooktrout.com (nhmail2.brooktrout.com [204.176.205.242]) by salvelinus.brooktrout.com (8.12.5/8.12.5) with ESMTP id j2BH97H0012311; Fri, 11 Mar 2005 12:09:07 -0500 (EST) Received: by nhmail2.brooktrout.com with Internet Mail Service (5.5.2653.19) id <FRSFG83M>; Fri, 11 Mar 2005 12:05:08 -0500 Message-ID: <EDD694D47377D7119C8400D0B77FD33101125D39@nhmail2.brooktrout.com> From: Eric Burger <eburger@brooktrout.com> To: ietf-openpgp@imc.org Cc: "Glenn Parsons (E-mail)" <gparsons@nortelnetworks.com> Subject: Split Implementations of PGP Date: Fri, 11 Mar 2005 12:04:59 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Background: I am a co-chair of the lemonade work group in the IETF <http://www.ietf.org/html.charters/lemonade-charter.html>. One thing we would like to do is enable a remote client to fetch the encrypted session key from an IMAP server, decrypt the key using the client's key, and then handing back the clear session key to the IMAP server to decrypt or verify a message or body part. So, the question is, are there implementations of PGP where one can: 1. Extract the encrypted session key from the PGP-encrypted object 2. An API for handing over the encrypted session key and the client key, returning the clear session key (this would run on the remote client). 3. An API that takes the clear session key and the PGP-encrypted object and returns the cleartext object. Note that this is different from the normal case of an API that takes the client's key and the PGP-encrypted object and simply returns the cleartext object. We have heard from the S/MIME community that there are API's that allow this functionality over S/MIME. Thanks. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2AHAXYn040895; Thu, 10 Mar 2005 09:10:33 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j2AHAXrc040894; Thu, 10 Mar 2005 09:10:33 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from dogbert.ihtfp.org (me@wireless-130-129-134-16.ietf62.ietf.org [130.129.134.16]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j2AHAOKL040876 for <ietf-openpgp@imc.org>; Thu, 10 Mar 2005 09:10:24 -0800 (PST) (envelope-from warlord@MIT.EDU) Received: (from warlord@localhost) by dogbert.ihtfp.org (8.12.9) id j2AHANBa003198; Thu, 10 Mar 2005 12:10:23 -0500 From: Derek Atkins <derek@ihtfp.com> To: ietf-openpgp@imc.org Cc: hartmans-ietf@MIT.EDU, housley@vigilsec.com Subject: Draft Minutes of OpenPGP Meeting Date: Thu, 10 Mar 2005 12:10:23 -0500 Message-ID: <sjmbr9ro29s.fsf@dogbert.ihtfp.org> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-=-= Here are the draft minutes of the (short) OpenPGP Meeting here in Minneapolis. -derek --=-=-= Content-Disposition: attachment; filename=ietf-62-minutes.txt Content-Description: OpenPGP Minutes Open PGP Minutes - Chair Derek Atkins - Tues March 8 2005 1. Agenda Bashing - none 2. AD - Sam Hartman - Sam requested time on the agenda to discuss a proposed new work item for this working group. The Lemonade group is looking at doing e-mail type operations in some new service environments. One type of environment that they are looking at is low bandwidth devices (such as cell phones) where different types of operations might be desirable. Examples of such operations might be to distill or use incremental download of messages for display on the device. Currently the issues of end-to-end security have been avoided by the Lemonade group. Open PGP and S/MIME are the two different secure messaging work groups in the IETF and the Lemonade group would like to get guidance and help from the two groups about different ways of providing end-to-end security within the lightweight receivers. One possible method of dealing with the problem is to require that the server be a recipient on the message. No desirable in some circumstances because the server cannot be trusted. A second method is to require the device to deal with secure messages. This is beyond the capabilities of some devices. The current method under exploration would be to allow the server to extract a correct encrypted key blob, send it to the device for decryption, and then the server would decrypt the bulk message and process it for display. Glen Parsons (co-chair of the Lemonade group) stated that in addition guidance was desired on some of the security issues the server would need to deal with. An example would be how long should a server keep the decrypted message in a cache for processing, as oppose to decrypting the message each time a new section of the document was desired by the display device. One proposed method of dealing with this might be to look at the device as a cryptographic module and just implement normal PGP on the server. This would need to be looked at further. 3. Draft-ietf-openpgp-rfc2440bis status The document editor did not provide a presentation for the meeting. There has not been a recent update of the document, however there has been substantial activity on the list recently which has solve several open issues. The following open issues still remain: Editorial type changes that will probably just be accepted by the editor - V2 PKESK advice is not correct (Dave Shaw) - Call V4 V4 (Dave Shaw) Two cryptographic issues that need to be looked at: - CFB "Broken" Researches have presented a break of CFB where about 25% of the message can be obtained using a fairly small work load under some circumstances. Details of the attack can be found at: - SHA-1 "Broken" There have been several recently announced attacks against SHA-1. The biggest result was one of lowering the work of finding a duplicate hash from 2^80 to 2^69. Still a substantial work factor. Sam stood up and said that the issue will be discussed at the SAAG meeting on Thursday, but the current advice from the ADs is not to panic yet. They are searching for a unified method of dealing with the problem along with the question of whether the new longer SHA algorithms are going to be affected as well. 3. PFS - Presenter was not present in the room. --=-=-= -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant --=-=-=-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j23Fwihh030000; Thu, 3 Mar 2005 07:58:44 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j23FweZa029992; Thu, 3 Mar 2005 07:58:40 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j23FwdCt029963 for <ietf-openpgp@imc.org>; Thu, 3 Mar 2005 07:58:40 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6) for <ietf-openpgp@imc.org>; Thu, 3 Mar 2005 07:58:31 -0800 Received: from [62.8.243.71] ([62.8.243.71]) by keys.merrymeet.com (PGP Universal service); Thu, 03 Mar 2005 07:58:31 -0800 X-PGP-Universal: processed Mime-Version: 1.0 (Apple Message framework v619.2) In-Reply-To: <87k6otfxtw.fsf@deneb.enyo.de> References: <20050224093032.GA98866@phantom.vanrein.org> <0a5ed6016f5c7d1ecd1ef3e4c1dad620@callas.org> <20050225195202.GA29679@phantom.vanrein.org> <078d807c80e952b628b386fa0c33061a@callas.org> <87k6otfxtw.fsf@deneb.enyo.de> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <1d943b6c82c4734049946719686bb0dc@callas.org> Content-Transfer-Encoding: 7bit From: Jon Callas <jon@callas.org> Subject: Re: Tighter MPI spec Date: Thu, 3 Mar 2005 07:59:28 -0800 To: OpenPGP <ietf-openpgp@imc.org> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 27 Feb 2005, at 2:21 PM, Florian Weimer wrote: > * Jon Callas: > >> This language has been sitting in 2440 and followons since '97. No one >> has ever had a problem implementing it, no one has had an >> interoperability issue with bignums. Not PGP, nor GnuPG, nor Hushmail, >> nor Cryptix, nor Forum, nor Bouncy Castle, nor anyone else. > > Not true. GnuPG had a bug in MPI handling because it followed the > language in RFC 2440 too verbatim. 8-) > > (You added a hint to 2440bis a few years ago, so others hopefully > won't make the same mistake.) > Thanks. Mea culpa. However, I think with the explicit note that unused bits must be zero, we're real clear on it. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j23FvwdA029874; Thu, 3 Mar 2005 07:57:58 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j23FvwBw029873; Thu, 3 Mar 2005 07:57:58 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j23FvraV029839 for <ietf-openpgp@imc.org>; Thu, 3 Mar 2005 07:57:53 -0800 (PST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Thu, 3 Mar 2005 07:57:41 -0800 Received: from [62.8.243.71] ([62.8.243.71]) by keys.merrymeet.com (PGP Universal service); Thu, 03 Mar 2005 07:57:41 -0800 X-PGP-Universal: processed In-Reply-To: <20050225204834.GA2271@jabberwocky.com> References: <20050225204834.GA2271@jabberwocky.com> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <bdb26e9f98f97dbee24b998ff6b89a8d@callas.org> Content-Transfer-Encoding: 7bit Cc: ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: [ISSUE] Minor language nits Date: Thu, 3 Mar 2005 07:58:32 -0800 To: David Shaw <dshaw@jabberwocky.com> X-Mailer: Apple Mail (2.619.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 25 Feb 2005, at 12:48 PM, David Shaw wrote: > > Three minor language nits: > > In section 5.2.3. Version 4 Signature Packet Format: > > - Two-octet scalar octet count for following hashed subpacket > data. Note that this is the length in octets of all of the > hashed subpackets; a pointer incremented by this number will > skip over the hashed subpackets. > > There needs to be a "the" between "for" and "following". Note also > the same problem one paragraph later for the item discussing the > unhashed subpacket data. > Got them. > ============================= > > Throughout the document, references to RFCs are written > inconsistently. For example, there are 3 references to "RFC 1991" > (with the space), and 2 references to "RFC1991" (without the space). > I like it with the space, though I really don't care which way things > go so long as it is consistent. (It's not just 1991 - all the RFC > references in the draft are mixed between the two styles). > Okay, here's what I did. All text referring to an RFC is now "RFC xxxx" -- with a space. But a reference in brackets such as [RFCxxxx] has no space. That just seemed like the right thing. > ============================= > > There are a few spots in the draft where "PGP" is used when "OpenPGP" > should have been used (when referring to the standard, rather than the > product): > > Section 2.3 (Compression) has one in the second paragraph. > Fixed. > Section 5.2.1 (Signature Types) has one in the discussion of the 0x13 > signature class. > Also fixed. There was also one in the 0x10 signature types. > Section 5.7 (Symmetrically Encrypted Data Packet) has one when > discussing "PGP's variant of Cipher Feedback (CFB) mode". > > I contemplated this for a bit. I finally concluded that both you and my lawyer (who is on a Proper Trademark Usage campaign) agree and therefore no further thought is needed. :-) Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21IZasa028332; Tue, 1 Mar 2005 10:35:36 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j21IZapb028331; Tue, 1 Mar 2005 10:35:36 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-relay1.uni-bielefeld.de (IDENT:72@smtp-relay1.uni-bielefeld.de [129.70.4.97]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21IZZ6O028323 for <ietf-openpgp@imc.org>; Tue, 1 Mar 2005 10:35:36 -0800 (PST) (envelope-from ingo@fargonauten.de) Received: from pmxchannel-daemon.mail1.hrz.uni-bielefeld.de by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) id <0ICO00107RN1O5@mail1.hrz.uni-bielefeld.de> for ietf-openpgp@imc.org; Tue, 01 Mar 2005 19:35:25 +0100 (MET) Received: from vm.dhcp.lcl.studentenwerk-bielefeld.de (vm.dhcp.lcl.studentenwerk-bielefeld.de [10.128.53.60]) by mail1.hrz.uni-bielefeld.de (iPlanet Messaging Server 5.2 HotFix 2.02 (built Oct 21 2004)) with ESMTPS id <0ICO00C5IRMVB6@mail1.hrz.uni-bielefeld.de>; Tue, 01 Mar 2005 19:35:19 +0100 (MET) Date: Tue, 01 Mar 2005 19:36:04 +0100 From: Ingo Luetkebohle <ingo@fargonauten.de> Subject: Re: PGP Partitioned Encoding Format In-reply-to: <878y57jq5g.fsf@wheatstone.g10code.de> To: Werner Koch <wk@gnupg.org> Cc: "\"Hal Finney\"" <hal@finney.org>, ietf-openpgp@imc.org Message-id: <1109702164.8874.66.camel@localhost.localdomain> MIME-version: 1.0 X-Mailer: Evolution 2.0.2 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-DSG4wfAhWk6maiyAmLnZ" X-Spam-Level: X-UniBi-Spam-Level: , 7% X-UniBi-Spam-Rules: __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_VERSION 0, __SANE_MSGID 0, __cbl.abuseat.org_TIMEOUT , __dnsbl.njabl.org_TIMEOUT , __query.bondedsender.org_TIMEOUT , __sbl.spamhaus.org_TIMEOUT X-UniBi-Deliver: Tag X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0, Antispam-Data: 2005.3.1.10 References: <20050228233557.2E5DC57EBA@finney.org> <1109675841.28521.8.camel@chagall.TechFak.Uni-Bielefeld.DE> <878y57jq5g.fsf@wheatstone.g10code.de> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-DSG4wfAhWk6maiyAmLnZ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Dienstag, den 01.03.2005, 17:18 +0100 schrieb Werner Koch: > Won't work either with Outlook.=20 Sorry, I didn't mean to imply it would. I know that all sorts of work-arounds have to be done for Outlook. The only thing I have an issue with is the implication that this sort of encoding might actually be good for other purposes. For the example given (mobile devices), a different usage pattern for PGP/MIME should do the trick just as well. Ingo --=-DSG4wfAhWk6maiyAmLnZ Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCJLYTzZDBZDStzlsRAowJAJ4xcvSvtM8p1ntnKIB2KhlWRllNvQCgmjC5 ZYYdpNqj3axn4xLiR4RPx4E= =SYkS -----END PGP SIGNATURE----- --=-DSG4wfAhWk6maiyAmLnZ-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21GKUgU018603; Tue, 1 Mar 2005 08:20:30 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j21GKUst018602; Tue, 1 Mar 2005 08:20:30 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21GKKpO018581 for <ietf-openpgp@imc.org>; Tue, 1 Mar 2005 08:20:25 -0800 (PST) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.34 #1 (Debian)) id 1D6A2L-0003Qg-Ie for <ietf-openpgp@imc.org>; Tue, 01 Mar 2005 17:15:53 +0100 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1D6A4x-0002rJ-KW; Tue, 01 Mar 2005 17:18:35 +0100 To: Ingo Luetkebohle <ingo@fargonauten.de> Cc: "\"Hal Finney\"" <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: PGP Partitioned Encoding Format References: <20050228233557.2E5DC57EBA@finney.org> <1109675841.28521.8.camel@chagall.TechFak.Uni-Bielefeld.DE> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 01 Mar 2005 17:18:35 +0100 In-Reply-To: <1109675841.28521.8.camel@chagall.TechFak.Uni-Bielefeld.DE> (Ingo Luetkebohle's message of "Tue, 01 Mar 2005 12:17:21 +0100") Message-ID: <878y57jq5g.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 01 Mar 2005 12:17:21 +0100, Ingo Luetkebohle said: > Instead of putting in a notation requesting "partitioned", you might > request the "other way" of packaging a MIME-message just as well. Won't work either with Outlook. You need at least a way to display signed message even to users without the ability to check the signature. All PGP/MIME stuff does not work with that beast unless someone figures out how their MAPI can be forced to do certain things. It is really a pitty that for just one MUA one need to resort to such pragmatic workarounds. Shalom-Salam, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21Fd7gG015383; Tue, 1 Mar 2005 07:39:07 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j21Fd7HB015382; Tue, 1 Mar 2005 07:39:07 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21Fd5eP015357 for <ietf-openpgp@imc.org>; Tue, 1 Mar 2005 07:39:06 -0800 (PST) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 23CDB33C33; Tue, 1 Mar 2005 15:38:54 +0000 (GMT) Message-ID: <42248C18.7010507@algroup.co.uk> Date: Tue, 01 Mar 2005 15:36:56 +0000 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hal Finney <hal@finney.org> Cc: ietf-openpgp@imc.org Subject: Re: Forward Secrecy References: <20050228184109.2C6BA57EBA@finney.org> In-Reply-To: <20050228184109.2C6BA57EBA@finney.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hal Finney wrote: > I think we had some discussion of this a few years ago, but I don't > have my records handy. I do like the idea of forward secrecy but I > think there are a few problems with the proposals in the draft > http://www.links.org/dnssec/draft-brown-pgp-pfs-04.txt. > > Using a series of encryption keys, each with a short lifetime, > reduces the information revealed by the compromise of any one private > key because each key protects less data. If expired keys are > securely deleted, attackers will never be able to retrieve them to > decrypt captured ciphertext. Therefore when a public encryption key > expires, an OpenPGP client MUST securely wipe the corresponding > private key [4]. > > I don't agree that OpenPGP clients MUST always securely wipe expired > private keys. In the context of a user who wants PFS, this makes sense. > But for a user who wants to be sure he can decrypt his messages, this > is a bad policy. For example, some mail systems may store the messages > in encrypted form, and he needs to keep the key around in order to read > those messages in the future. > > We would need to make the wording clear that this is only for clients > operating in "PFS mode". Agreed. I have changed to this: "Therefore when a public encryption key used for forward secrecy expires, an OpenPGP client MUST securely wipe the corresponding private key." > Deletion should take place once all messages that could have been > sent before expiry have been received and decrypted. For example, as > a user logs on, their mail client SHOULD retrieve and decrypt all > messages from their mail server before deleting any newly-expired > private keys. A "panic mode" MAY bypass this step. > > I guess that "panic mode" means some command the user could give to > immediately delete all expired decryption keys. > > But this leads to a larger concern, which is that much of this draft > specifies client behavior in a manner which has traditionally been out > of scope for our working group. We would not normally propose to give > guidelines for UI such as the existence of a panic mode, and how clients > should respond to it. For example, we do not attempt to prescribe how > client software should display signed messages, what information should > be shown from a signature, or how to depict messages which are partially > signed and partially unsigned. > > The PFS draft is full of detailed recommendations about client behavior. > Here, it describes how and when clients should access the mail server. > Later, it talks about clients sending various warnings to each other, > generating keys in the background, and revoking keys before exporting > the private part. The main thrust of the draft is towards specifying > client behavior. Since some client behaviour must be specified for PFS to work, I don't see that that is avoidable. However, I do agree that it should be kept to just that behaviour that is actually necessary. Secure deletion of private keys is necessary for PFS, and so that should remain. Retrieving (and decrypting) messages encrypted with that key before deleting is a good idea, but I agree is probably not something to be mandated by this draft. > My principle concern is that since we have eschewed such specifications > even for the more fundamental task of communicating securely via email, > does it make sense to go into such detail for a rather more specialized > sub-task, of achieving PFS in the process? Here is another example: > > Clients receiving messages encrypted with a revoked key MUST warn the > sender that they should not use that public key again. Any relevant > key revocation certificates MUST be included in the warning. > > This is not really PFS specific, and it may be a good idea, but it is > exactly the kind of thing which we have left out of the OpenPGP spec. > There are too many issues involved in the design of a mail user agent > for a secure email system, for us to try to capture them in a spec. I agree. > I won't try to go through the rest of the draft at this time. As I said, > I support the goal of PFS, but I am skeptical about whether it makes > sense for our WG to promulgate such detailed advice on a relatively > narrow aspect of security. I am more interested in the parts of the draft that require standardisation (such as marking [and transmitting] one-time keys). I would be more-or-less happy to remove the "advice" parts of the draft and find another venue for them, if that's what the WG wants. Cheers, ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21BHo7R062365; Tue, 1 Mar 2005 03:17:50 -0800 (PST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j21BHo7m062364; Tue, 1 Mar 2005 03:17:50 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailout.TechFak.Uni-Bielefeld.DE (mailout.TechFak.Uni-Bielefeld.DE [129.70.136.245]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j21BHg8r062269 for <ietf-openpgp@imc.org>; Tue, 1 Mar 2005 03:17:49 -0800 (PST) (envelope-from ingo@fargonauten.de) Received: from chagall.TechFak.Uni-Bielefeld.DE (chagall.TechFak.Uni-Bielefeld.DE [129.70.139.44]) by momotombo.TechFak.Uni-Bielefeld.DE (8.12.11/8.12.11/TechFak/2004/05/05/sjaenick) with ESMTP id j21BHLEU019487 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 1 Mar 2005 12:17:26 +0100 (MET) Subject: Re: PGP Partitioned Encoding Format From: Ingo Luetkebohle <ingo@fargonauten.de> To: "\"Hal Finney\"" <hal@finney.org> Cc: ietf-openpgp@imc.org In-Reply-To: <20050228233557.2E5DC57EBA@finney.org> References: <20050228233557.2E5DC57EBA@finney.org> Content-Type: text/plain Date: Tue, 01 Mar 2005 12:17:21 +0100 Message-Id: <1109675841.28521.8.camel@chagall.TechFak.Uni-Bielefeld.DE> Mime-Version: 1.0 X-Mailer: Evolution 2.0.0 Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Am Montag, den 28.02.2005, 15:35 -0800 schrieb "Hal Finney": > One other example where Partitioned Encoding is often the best encoding to > use is when sending PGP email to mobile devices. Because the two primary > standard formats for secure email, PGP/MIME and S/MIME, encrypt the entire > body of an email including attachments as one part, a mobile device is > prevented from downloading only specific segments of the message which > can be very desirable in low-bandwidth scenarios. Thats current practice but you make it sound as if its required by the standard. From my reading of RFC3156, it is not. While the "multipart/encrypted" part has to have exactly one encrypted subpart, it may occur several times in any given message. Both approaches have their drawbacks -- its certainly more telling to have every attachment encrypted seperately and its also more work for the handling application. In any case, its hard to tell what will be more appropriate for the recipient. However, advocating a non-MIME format because of assumptions about the recipient seems ill-advised to me. Instead of putting in a notation requesting "partitioned", you might request the "other way" of packaging a MIME-message just as well. If, however, you want to document "partitioned" purely as a backwords- compatibility thing, please don't put in language that makes it sound like it might be a good idea for future use. Sorry, but I've had one too many inline-PGP vs. PGP/MIME discussions to stay calm here ;-) regards -- "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
- Split Implementations of PGP Eric Burger
- Re: Split Implementations of PGP Ben Laurie
- Re: Split Implementations of PGP Werner Koch
- Re: Split Implementations of PGP David Shaw
- Re: Split Implementations of PGP Jon Callas
- Re: Split Implementations of PGP Bill Frantz
- Re: Split Implementations of PGP Cyrus Daboo
- Re: Split Implementations of PGP Bill Frantz
- Re: Split Implementations of PGP Ingo Luetkebohle
- Re: Split Implementations of PGP Cyrus Daboo
- Re: Split Implementations of PGP Peter Gutmann
- RE: Split Implementations of PGP Eric Burger
- RE: Split Implementations of PGP Eric Burger
- RE: Split Implementations of PGP Peter Gutmann
- Re: Split Implementations of PGP Jon Callas
- Re: Split Implementations of PGP Ingo Luetkebohle
- Re: Split Implementations of PGP Ben Laurie
- Re: Split Implementations of PGP Jon Callas
- Re: Split Implementations of PGP Ingo Luetkebohle
- Re: Split Implementations of PGP Lars Eilebrecht
- RE: Split Implementations of PGP Eric Burger
- RE: Split Implementations of PGP Ingo Luetkebohle
- Re: Split Implementations of PGP Jon Callas
- Re: Split Implementations of PGP Jon Callas
- Re: Split Implementations of PGP Ben Laurie
- Re: Split Implementations of PGP Brian G. Peterson
- Re: Split Implementations of PGP Ian G
- Re: Split Implementations of PGP Jon Callas