IETF Logo Mail Archive

Re: [lamps] S/MIME fix

Alexey Melnikov <alexey.melnikov@isode.com> Wed, 16 May 2018 14:49 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0246C12D7E8 for <spasm@ietfa.amsl.com>; Wed, 16 May 2018 07:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3R0R99_TISe for <spasm@ietfa.amsl.com>; Wed, 16 May 2018 07:49:12 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id CFCAC127078 for <SPASM@ietf.org>; Wed, 16 May 2018 07:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1526482151; d=isode.com; s=june2016; i=@isode.com; bh=hvY8Alz7O9PvIElQ01+9slORD56vsK4s/iuTnEQJD+o=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=SShxBUD8K68WHj1REnUlas4lwZeGrubT4nTxKGK4FsLFe+qIwJN6nyEh2rToZhHJux6p2S SMQ9A0VRodtzWkCcucTcux8lXjC75BZ/+CZ7VlkZ22fOyG41Y+4XTvRbhrRS2VX0VQCNVQ rEiYGd8kdXQYBKcsGzRdS4zSdqJrkpQ=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <WvxE5gAIWYZq@waldorf.isode.com>; Wed, 16 May 2018 15:49:11 +0100
To: Phillip Hallam-Baker <phill@hallambaker.com>, SPASM <SPASM@ietf.org>
References: <CAMm+Lwj=VTBHYxH-iOaqEUHxALpBfSXWG3p0+xxUnY+o4CmGvA@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <559ab3c7-ee5f-22b9-ef02-c091765011d2@isode.com>
Date: Wed, 16 May 2018 15:48:54 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
In-Reply-To: <CAMm+Lwj=VTBHYxH-iOaqEUHxALpBfSXWG3p0+xxUnY+o4CmGvA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------FEB60CAF51A444A2821E9D55"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/-GzfP2EFQ2oLC2T_BjPoKoNQh8s>
Subject: Re: [lamps] S/MIME fix
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2018 14:49:14 -0000

Hi Philip,

On 16/05/2018 15:28, Phillip Hallam-Baker wrote:
> Looking at eFail, surely the simplest fix is to require that an HTML 
> message body be presented in a single CMS envelope presented in a 
> single MIME part?

I am not sure what you mean here. A CMS envelope can contain 
multipart/mixed within it, which is a perfectly valid use case (i.e. if 
one wants to send some encrypted text together with some encrypted 
attachments).
If you are talking about preventing the following construct:


content-type: multipart/mixed; 
boundary=.f8231d7f-681b-442c-97cc-e6c5375d059d

This is a multipart message in MIME format.

--.f8231d7f-681b-442c-97cc-e6c5375d059d
content-type: text/html

...some partial HTML...
--.f8231d7f-681b-442c-97cc-e6c5375d059d
content-disposition: inline; filename=smime.p7m
Content-Transfer-Encoding: base64
content-type: application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data

...encrypted HTML...
--.f8231d7f-681b-442c-97cc-e6c5375d059d
content-type: text/html

...some partial HTML...
--.f8231d7f-681b-442c-97cc-e6c5375d059d--


i.e. a multipart/mixed that contains a mixture of text/html and 
application/pkcs7-mime, then I might agree with you. But this is not 
really an S/MIME feature, it is a generic MIME feature. So maybe this WG 
should write a document on best S/MIME implementation practices.

> This would simplify the code substantially. While it is conceivable 
> someone has worked out a way to make use of this mis-feature, I for 
> one cannot imagine why Outlook, Thunderbird or the like would ever do 
> anything of the sort.
>
>
> Separately, we have interest in CAA for S/MIME. Surely we should do 
> ACME for S/MIME as well.

Not surprisingly, I agree. See draft-ietf-acme-email-smime-02
> If we are going to do that, surely we should have a discussion of what 
> it would take to make end to end security the default for SMTP.
>
> I am not necessarily thinking of this as a LAMPS thing because we also 
> need to get CAs, probably CABForum involved and maybe the OpenPGP folk.

Best Regards,
Alexey

v2.23.0 | Report a Bug | By Email