Re: [lamps] smile.p7m as attachments in MUA

Pavan Kumar Dinesh <pdinesh@gmu.edu> Fri, 01 July 2022 21:42 UTC

Return-Path: <pdinesh@gmu.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1CD4C15C146 for <spasm@ietfa.amsl.com>; Fri, 1 Jul 2022 14:42:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmuedu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p9cLRazjIhO1 for <spasm@ietfa.amsl.com>; Fri, 1 Jul 2022 14:42:42 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2075.outbound.protection.outlook.com [40.107.220.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 974E4C164EC2 for <spasm@ietf.org>; Fri, 1 Jul 2022 14:27:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CyFOznDQVRisQXVbw2v/RhhVG/5oAO2/OkJVHfZlHS2ZcsLbJ7Hbh7EAS/9cfijXH5RbBGd7ZmZk1o1E1lPcoIqJJ6ZN8S7+f6dvaJIzXqB365GHsPW++5oALBqro038hXBhS9lUdET7pjl9VjY6jfd35sHzN0XyosHA2g29Z8t+grwIq9RZIhE4tdvJDG/er1GQN7In8m5qVZlqUiq7Dgx2mHSffuchtejn0SUgje2I6jbHW6+ZUbAOLkx8tDPYGXr6UI3KZ2vIbdImr+BmfkFZW4ki8NM11TLZf50K3ieB7AE/G7PTTxK/4qBRD8K5dasHulRl5WihQg7gXfkWGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mBXR30Tgtccu4UBOaWTXbv4/9b3bl2taidfLCLqN8dc=; b=XN0XtLaVHVahBhdCfmFOBaMTX767Cwms81ZiV08NzZkjZOYBsAjv341bdCqwxA+u4LAfDiuqPIaF3bveA7q8La7Q5Ry6yBTqrWJLXf10Qh8BXxEl26mATX6TJeL0srjJxI3yX3dncegPDAq0SFQl8iWESyvg7iHnZuGPd0ViBG4b581zgD+ukBiZPgqq0NwdVRzWqBawWEU8X9sMHTrDoT7xIXGLRRjrGtAXyrH6BK9+Igd/BGK9slIFPPryG9nNB16MpwL4dPuFdvpTDm3BKB9c8SJsXERbBM3aW+FBjTyKDhQGFY8zjCvo6tAL+Yc9ZSj+3NewU1Rd0gPG390Wyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=gmu.edu; dmarc=pass action=none header.from=gmu.edu; dkim=pass header.d=gmu.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmuedu.onmicrosoft.com; s=selector2-gmuedu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mBXR30Tgtccu4UBOaWTXbv4/9b3bl2taidfLCLqN8dc=; b=ZGvcmQKPWm/LbNyoJb+Xr10wGBP9YzzVUlo98x61uIi2ik4zmH9M1hckZhNbiO52JqsnI51zeizeOLYNcWT44dDQ6/jj5AgJEQcOzdFrQMKgCHOUNKfCbCE4DdCJLZ5pc7vfslMoyBsNl9Iyy3uhZuyf1SZVwhg1zoEGXHm3ENg=
Received: from SN6PR05MB5247.namprd05.prod.outlook.com (2603:10b6:805:e0::32) by BYAPR05MB5110.namprd05.prod.outlook.com (2603:10b6:a03:96::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.15; Fri, 1 Jul 2022 21:27:46 +0000
Received: from SN6PR05MB5247.namprd05.prod.outlook.com ([fe80::95b1:5d01:9a1d:1fc]) by SN6PR05MB5247.namprd05.prod.outlook.com ([fe80::95b1:5d01:9a1d:1fc%5]) with mapi id 15.20.5395.013; Fri, 1 Jul 2022 21:27:46 +0000
From: Pavan Kumar Dinesh <pdinesh@gmu.edu>
To: Russ Housley <housley@vigilsec.com>
CC: LAMPS <spasm@ietf.org>, Tawhidul Islam <tislam20@gmu.edu>, Eric Osterweil <eoster@gmu.edu>
Thread-Topic: [lamps] smile.p7m as attachments in MUA
Thread-Index: AQHYgyC/Zos9UXX7wU2YU/KKvwymeK1VTE8AgBFui3OAA2FrwA==
Date: Fri, 01 Jul 2022 21:27:46 +0000
Message-ID: <SN6PR05MB52478726BB45DDB10D4B12B3B2BD9@SN6PR05MB5247.namprd05.prod.outlook.com>
References: <SN6PR05MB524761A318CF3A9D5E2858A1B2AE9@SN6PR05MB5247.namprd05.prod.outlook.com> <B6A50E7C-4D0B-47F8-AB41-6B742AC9C755@vigilsec.com> <SN6PR05MB5247000A949AB18ACD8C03F3B2BB9@SN6PR05MB5247.namprd05.prod.outlook.com>
In-Reply-To: <SN6PR05MB5247000A949AB18ACD8C03F3B2BB9@SN6PR05MB5247.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=gmu.edu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2254e420-b955-4edb-7329-08da5ba88a6f
x-ms-traffictypediagnostic: BYAPR05MB5110:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qnvJ98FR54s+4kjB7t973UcJTzJJ1tHQ3ybi1aHnaBsXhO1mdNfUK1s9ypbvllrDjJyeXYRhoyqWTUfgIh0Z6TQA4CEOT1B/L84v2MGfYiL9+3HR2uRAT8y9whPh+2m+tdLqZC6Kn1+rj7bg4oGZcBrxdvvJTIIM2rNkcHJEnxyjwYBffUd8rI6yMN4uGiBTlA9LFpwYXjQsGnXD2QcUcef1RauwuXEG2TGQzjeZtxbSVWV+/wzOi3j6UPcB2ViILMgzrZqmYXiPEv3O0G/5urU8JcjehreU/ubakWN0hhP4djOsm1P+K88NYyHe+2SqgF4a53eDUfRI8NYa7GMO5Hqxjbax9l/gm41faUwK1wvDFXrJyNBDxHbDeE8dj3o0kBQIiAZMSi2POm+F1TgD3M2bk767APOz8K5VDPWJ2MHQBKSU/VzbKzMmfTBVmRNEVtx5sE1d5pTIliGvWTW27fJtoJUlGWO1FVxHyNxMmg2eZi452kMtyE1NrnY2fPmkAFCCiuwXIqfXiv7Wg6mkTuhRgBEc0Ju4x43QLwNcYQsQa5xjtyHmVguJEJi2h2CYXfOZW43hwY1zLaMomGCW0c05XBcIvdEu/0/lIg6KxTuxeXDgZiir5cxD/h11tWhr/L6cfVt7vzxccSF0OcDkj6xBHU84CoYYdkjwcAi/tz/qv/iC5HQDj6Xa8/7WPm8aBytXFvIGIOSOGuja7ZMG2+qc5/I60z6TOr4kmCGo24oQBxRf7G7ELC8SovAPi9Cb27AR5uDsacL9qRjHIjo7RR0nBrrBjxPEACCHfgKdcmDo+ytBkuDdDZdHt1RoNa/LYlsAU40xvOaqaly7Mka0tfQJqYJcIpHvTBH9uB2fMv023j7Xxck9/97C9y0KByL9AaXcR0YvmmPi1manBTnhdQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR05MB5247.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(396003)(136003)(39860400002)(346002)(376002)(55016003)(38100700002)(83380400001)(186003)(75432002)(41300700001)(2906002)(33656002)(5660300002)(6916009)(26005)(7696005)(71200400001)(6506007)(316002)(54906003)(53546011)(235185007)(9686003)(786003)(966005)(8676002)(8936002)(52536014)(76116006)(38070700005)(66946007)(478600001)(64756008)(66446008)(66476007)(91956017)(4326008)(86362001)(122000001)(45080400002)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Wx3aQn02Yoruo0DtyrwT4YgkaDGAON3JTeOsOvIaLSCg/j6EKeKUTQudE9LIa6Tm2kSeluCrdSVUzdeUwp1CiTrkqiBs5SUQk30B1p3mSeu++Sq43akHs1BxBFbQ90KDR57A05GnZ4xa7Qlk+1EGcbCon/QmySWdLWq4IYJ85STmk0PsxO2FEAI6mtxJaL8ZA9UVP/fhk9e3QpEgDz+oHq9sbf0bteUuED1kA4DvY+MK3cXXp8FNLMMg0KBlfBINJZjmZNUt9eLq1pTXVSwBnTKmj3FoEzQpl6RSN9RUm96/pggbS/hVyRH/5NMFwWmYXhhk6ZHlROfG7eLLbg7RWQf3FVyJwCfcNoZxbaxCZ6TusfqTT8pW3ZEvHN1eNk4lMCHg4bo0PMzJP4dy/srm0FdKdI0ZktR3P0ZAhoRGGdZbK+JorP8LUan8np2Y1OdXjEeK0b3yDucTSDjPXbRT2o2HfzCzM+NNNWgxzs72oDKPVPaqO5IEPSz5wE8I2Bq0d8kXUe36YeBYN1dqtd2F0U+dGmSFbEtzM9kDgtVV8u/AykANygqnklgKuulmowe8N0clypLNJhfAAyfOwoF7btmhKvhGLf/xx7O6QoEyf9IHe1uBFl763KhLSyOic5fbiyL7dMzIFgsnso+S6bblU8DEaDHVlME3f9dw0r7g3Yf9z5mr6SKK2W9O/6W2IU9pZ9wvtp+VJNCku3Gf9Y/QREdsuwmZ7D73zrFIL2EkYVaeXWw1z5N3BQVbbY0TY3M6B74GLOHj0y0glT/MHe4NbEMQd8rcpfpT/Di6/ahCygwlsrxpZfbGqcZc50Mt0y1BqDV9h2kIkZmM8Xn4VBBgwjTLIO6khK1qFDZBSznH28m5r1g4RXz9FzEVS8uUYkida4i3w5kMvGwP5lbehUD88845MtEZr3tcO2gZKcfa0nzcwmDxiH9Z98N3rDIYHAXlHSMSx/MKAoojt8P5ZGYcrkgBlV01OqT5Z3J5y7E3D7JGWXyvJuqIBc7jCkuxHTLAhKJ6gR5GiFicwetggrlae58b6p3X+tlA9kyxd3wX4DpbgJX3Vu5ogYPo/RntdBqEAkjBAEUmhQ0bTfFeZNilg1UW78mCXAgSocsqeMBHixhk55oYwElcc2qbuQAivb/YQnQMV3/klExUviy5VPOKHmxzxN9pfuHfsJlwlnNYPpHsDiwcI0mGijd9ITsw48xdN1x2eiiV0ACWGMGJsojgMYeozBXzl3WDKvU+5Ky4c57qgGCMfZQoODPHxk32WXN9xjGq/3xh9GPwpDTlnZt/9YP2p/kZxdrp6rgBn09e8v2hyhbxKXo+DupX39vBpA5tEpEkW3ZoSgpUq2Q/11E+vCbD4OSU3Q0lkstHD8xBw/Avh00JuywezzDA/68GGlYIkWFevMgTbvw5W66kQyYKRNfdpR+BgkVb+zkRtqlCGDn+NHfZhk0MD1Zm9FDTOgH7GsZ8XwlyGusDThU/3xIM6arKcGrqeW79RjqCk1SIbh5Hpi9XxZl82LxD2anuv3KiQ3DXsv1nrx1iYAGg60Iv5CUmK3wln5NFmMeh7ccRsShaz5PL9ysniucV8zqw6s1B
Content-Type: multipart/alternative; boundary="_000_SN6PR05MB52478726BB45DDB10D4B12B3B2BD9SN6PR05MB5247namp_"
MIME-Version: 1.0
X-OriginatorOrg: gmu.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN6PR05MB5247.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2254e420-b955-4edb-7329-08da5ba88a6f
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jul 2022 21:27:46.1383 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9e857255-df57-4c47-a0c0-0546460380cb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: niTqYItTOjM3YUUgNkykZqGm5evFECzzHuFrKHuBw4+5m8ZDYTBd18KHOpqvPk7Q
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5110
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/KwC99ib-y1S8JhUBU8hqHpPVQKM>
Subject: Re: [lamps] smile.p7m as attachments in MUA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2022 21:42:43 -0000

Hi again working group and thank you for the previous advice!



We are graduate students who are working on a research project to implement S/MIME+DANE functionality in Outlook clients, and we want the produced emails to be cross-compatible with other S/MIME capable MUAs.We followed the group’s previous advice to review the RFC, and we seem to be running into a limitation in Outlook that is hampering us from following that guidance.  We know Outlook has native support for S/MIME but integrating DANE through the Add-on framework (Outlook.js) seems to make following the RFCs a non-starter.  We are hoping this is user-error on our side, but we’ve exhausted all the options we can think of.  Any guidance to help us be able to follow the RFCs more faithfully would be greatly appreciated.



 The details of our approach are below:

Critically, while implementing our add-on in the Outlook.js framework we are not able to change MIME headers beyond the highest-level nudging of adding attachments of certain media types or toggling modes between plain text vs html. This means our add-on has no real way to set Content-type headers to "multipart/signed" or "application/pkcs7-mime" and the like.



Our current approach is to instead attach the whole S/MIME message as an (.eml) attachment. The content of the attachment is the full MIME of the actual signed or encrypted email. The message that this .eml is attached to remain an unsecure, but readable, fallback for signed messages.



Our current idea is that this .eml file should be in practice exactly like the attachment "smime.p7m" presented by certain MUAs, in that users may click/download to render the message plus security details in local SMIME-aware software.  Without being able to adjust the headers, it does not seem like we can successfully trigger MUAs’ native S/MIME functionality.  In MUAs like Mail.app, the messages with p7m are blocked from loading and users get security warnings, so we need to do something else.



Does this pass the sanity check? We would love to be made aware of any guidance that exists for doing S/MIME with these (not too unusual) constraints.



We are hopeful to make our add-in as compatible as possible, as it's a neat marriage of DANE and email security.


Thanks!

________________________________
From: Pavan Kumar Dinesh <pdinesh@gmu.edu>
Sent: Wednesday, June 29, 2022 1:53:31 PM
To: Russ Housley <housley@vigilsec.com>
Cc: LAMPS <spasm@ietf.org>; Tawhidul Islam <tislam20@gmu.edu>; Eric Osterweil <eoster@gmu.edu>
Subject: Re: [lamps] smile.p7m as attachments in MUA

Thank you, Russ, for the quick response. Sorry about the delay in getting back to you. We went through the Section 3.2.1 of RFC 8551 and we've gotten more insight and will report back on some of the blockers we're having in a while on the same thread.

Thanks again.

________________________________
From: Russ Housley <housley@vigilsec.com>
Sent: Saturday, June 18, 2022 11:37 AM
To: Pavan Kumar Dinesh <pdinesh@gmu.edu>
Cc: LAMPS <spasm@ietf.org>; Tawhidul Islam <tislam20@gmu.edu>; Eric Osterweil <eoster@gmu.edu>
Subject: Re: [lamps] smile.p7m as attachments in MUA

Please see Section 3.2.1 of RFC 8551.

Russ

On Jun 18, 2022, at 10:41 AM, Pavan Kumar Dinesh <pdinesh@gmu.edu<mailto:pdinesh@gmu.edu>> wrote:

TLDR: Is "smime.p7m" a file that is attached to emails, or a reserved name used by recipient MUAs that represents the source MIME of the email?

Hello,

We are students working on an MUA extension that sends SMIME emails as attachments.
A file containing the "multipart/signed" or "application/pkcs7-mime" MIME structures is attached to the email being sent.

>From our understanding, this should be similar to how MUAs sometimes show SMIME messages as an attachment called "smime.p7m". RFC 8551 describes .p7m as the extension for "application/pkcs7-mime", and examples include Content-Disposition: attachment (Section 3.3).

However, when calling the attachment "smime.p7m" (Or really anything with the ".p7m" extension) , certain MUA (Apple Mail) has odd behavior on the recipient side, renaming the attachment to "Mail Attachment.eml" and showing security warnings for user before message displayed. This occurs no matter the content of the attached file. This makes us suspect sending emails with *.p7m named attachments is not widely compatible (perhaps a conflict with reserved file names for the MUA).

Any words of wisdom on what "smime.p7m" actually is when mail clients show it as an attachment? Is that something we can send as an attachment at all?

Thank you!
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm