IETF Logo Mail Archive

Re: [openpgp] Put Signature in an Email's Header

Bart Butler <bart+ietf@pm.me> Tue, 08 August 2023 17:07 UTC

Return-Path: <bart+ietf@pm.me>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B62C6C152573 for <openpgp@ietfa.amsl.com>; Tue, 8 Aug 2023 10:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pm.me
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nYH1jiBKIsgq for <openpgp@ietfa.amsl.com>; Tue, 8 Aug 2023 10:07:02 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C370BC15152C for <openpgp@ietf.org>; Tue, 8 Aug 2023 10:07:02 -0700 (PDT)
Date: Tue, 08 Aug 2023 17:06:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail3; t=1691514420; x=1691773620; bh=bbrW7a/ev66T+3qLc80cu2XF1LuNZQOgVE7qoRSIbks=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=ECcBUB0PF8kw/7Q7OauboVIwo8xtlR+wdDTYBPO+2ZGu2mRsh1i945nNFPwXd0Hra tbVa12BEGHwo/8ETXtfoFCLJS1Me/+B0hdRKKkGIRnkZtXG7I0PVPc2HM+auJle42z T2uyZd0Gh8vn85yh1zy+pUBHAQEmN1Lrv9ZD/CLQs08ModQGbj9r3y9sN1Wc+QkkKp aQ8HkQwwbFtFJwt40tt2uAjsKUV9ZcOIifHxFU/Q2eB1grwLNRfnKboGvrJNVAQ3m0 kBZsm9veTvLJr3r0TCv/qIvs5rK4ILXIelmSIrXGbsWCoI12PI7HJ/GBoJKVPQY9dB DS9jU56Wn6IrQ==
To: Kai Engert <kaie@kuix.de>, Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>, "openpgp\\@ietf.org" <openpgp@ietf.org>
From: Bart Butler <bart+ietf@pm.me>
Message-ID: <srngUaHAVOOvcLAVlV4Dzd70XCfUJfCOYoWkVIMWpIhurQ_0c7aTBHAKPanjhbaYxBSMDZ8BawhaLKKkfcP5lUWVT6TwkSjkhEvG8P3tigA=@pm.me>
In-Reply-To: <17a06888-8516-457f-8ef3-85b7c77ce2f6@kuix.de>
References: <48be3fcf-cdce-9ef4-655b-63b6dddf9310@kuix.de> <878sa4y7hy.wl-neal@walfield.org> <4dbaf770-2b2e-47cc-afb5-3ba07706aafd@kuix.de> <87a5v1j4xo.fsf@wheatstone.g10code.de> <db447915-fc25-4759-879e-b64020c0ec0e@kuix.de> <87zg31hoee.fsf@wheatstone.g10code.de> <ba560bb0-0fa5-40a2-b70d-83f36859e17e@metacode.biz> <87v8dphmec.fsf@wheatstone.g10code.de> <17a06888-8516-457f-8ef3-85b7c77ce2f6@kuix.de>
Feedback-ID: 5683226:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha256"; boundary="------656f057e00e87282173a6b5c571603bde286980789aeecf1be9551db0205da5b"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/tltoPRiZJ94NgoWc_F5zwBWXIx0>
Subject: Re: [openpgp] Put Signature in an Email's Header
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2023 17:07:06 -0000


Why not take a page out of DKIM’s book and just put the signature header(s) in the protected headers directly, maybe at the top, except exclude only that header from the signed data if present? Seems like that would also be backwards compatible with existing PGP/MIME if you wanted to sign both ways as well.

On Tue, Aug 8, 2023 at 4:08 PM, Kai Engert <kaie@kuix.de> wrote:
On 08.08.23 12:13, Werner Koch wrote:
> A signed mail with the signing key included (as done by CMS) is a
> straightforward way to bootstrap encrypted communication. It is mail
> standards compliant and does not break when for example forwarding
> mails.

Good point about forwarding, I didn't consider that previously. And I
realize we also need to ensure that we don't break protected headers.

To investigate, I crafted a message without a multipart/signed layer,
but with a protected header layer. I looked at this message in two
different webmail clients, and that layer wasn't rendered.

This brings me to the following idea: Could we transport that new
signature-header in the header area of an additional multipart/mixed layer?

Example message:

MIME-Version: 1.0
Subject: wrapped in two multipart/mixed, prot hdr and sig
Content-Type: multipart/mixed; boundary="signature";
openpgp-signature="multi-mixed"
Header-Signature: micalg=pgp-sha256;
protocol="application/pgp-signature"; sigdata=
wsF5BAABCAAjFiEEIdFuZ...
=9HqM

--signature
Content-Type: multipart/mixed; boundary="prot-hdr";
protected-headers="v1"
From: Kai Engert <kaie@kuix.de>
To: test <testmail@kuix.de>
Subject: wrapped in two multipart/mixed, prot hdr and sig

--prot-hdr
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

dHF3ZnF3ZWYNCg==

--prot-hdr--

--signature--

When I use forward-as-attachment in Thunderbird with a message of this
structure, the "Header-Signature" header is kept.

Could this work?

Thanks
Kai

_______________________________________________
openpgp mailing list
openpgp@ietf.org
https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email