Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers

Ximin Luo <infinity0@gmx.com> Tue, 16 July 2013 08:29 UTC

Return-Path: <infinity0@gmx.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEB5E11E8268 for <openpgp@ietfa.amsl.com>; Tue, 16 Jul 2013 01:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OF33xd86B5an for <openpgp@ietfa.amsl.com>; Tue, 16 Jul 2013 01:28:59 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 5C9C511E826D for <openpgp@ietf.org>; Tue, 16 Jul 2013 01:28:54 -0700 (PDT)
Received: from [192.168.1.193] ([81.157.80.80]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MC4y8-1UqFCV0lYe-008sJw; Tue, 16 Jul 2013 10:28:51 +0200
Message-ID: <51E50442.8050701@gmx.com>
Date: Tue, 16 Jul 2013 09:28:50 +0100
From: Ximin Luo <infinity0@gmx.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130518 Icedove/17.0.5
MIME-Version: 1.0
To: Werner Koch <wk@gnupg.org>
References: <51D360B2.1070709@gmx.com> <51E4FEF0.7010004@gmx.com> <87fvvekji2.fsf@vigenere.g10code.de>
In-Reply-To: <87fvvekji2.fsf@vigenere.g10code.de>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="----enig2EXVVCXMGEKMDSANQUNNV"
X-Provags-ID: V03:K0:QA+yWQszbP1kSMT1hErdOdWhkpS0xDR8ScsFhPFg9HzU9ZYJ5rG vPKutSpqcFXy40d0GnrOxrMwLaSIIpmYqaYGJ2qmSxxofQKTcQfn4TuHhrnOtbabqvkPs6r qmWan32K9w/BuelXC4+qmp6uk7y4N2RP7XmhccmTgjB6n7qbSE6gwbra/nlFxcn6XcmmnqL Z4ylNgkuuVTqMrpOYeIvA==
Cc: openpgp@ietf.org
Subject: Re: [openpgp] signed/encrypted emails vs unsigned/unencrypted headers
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 08:29:03 -0000

On 16/07/13 09:16, Werner Koch wrote:
> On Tue, 16 Jul 2013 10:06, infinity0@gmx.com said:
>> On 03/07/13 00:22, Ximin Luo wrote:
> 
>>> What's the current status of this in the PGP/MIME standard? Is it still a
>>> problem? I notice that email subject headers are in a similar situation, and
>>> users have complained about it.[3] The problem of unencrypted/unauthenticated
>>> recipient is less obvious, so I haven't seen user complaints, but potentially
> 
> There is a simple and standard conform way to tackle this:
> message/rfc822 - all covered by PGP/MIME.
> 
> FWIW, PGP/MIME allows you to do encrypt-then-sign or any other
> combination - if you really want that.  PGP/MIME is a well thought out
> and matured system created 17 years ago.
> 

Thanks, I will take a look.

Could you take a guess on why this feature is not used more? I haven't seen any
emails that use it (either an encrypted To: or Subject: field), either because
no emails actually use it, or perhaps it's my client's fault for not displaying
it correctly.

As mentioned in a previous link, it includes a security issue due to
surreptitious forwarding of signed messages to unintended recipients. So I
would've thought people writing these PGP email clients would've taken it into
account.

X

-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0