Re: [lamps] LAMPS sample keys and certificates

Daniel Kahn Gillmor <> Fri, 20 December 2019 23:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 410541209D3 for <>; Fri, 20 Dec 2019 15:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.b=Mu9nh3a0; dkim=pass (2048-bit key) header.b=hd6+Zq/H
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YIu6JCEGxZ0t for <>; Fri, 20 Dec 2019 15:48:45 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 799351208D5 for <>; Fri, 20 Dec 2019 15:48:45 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple;;; q=dns/txt; s=2019; t=1576885724; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bBND5WK9fA9L/LRxes9PFCOJzXhCWQcveqCF4Kph3CA=; b=Mu9nh3a09XDr4YC7Dysx2MRlT/BL/P9CG1tdbKFiJSlPop6Sqb+Yl5z3 Lt1NTqGJB0/5HQv28l+nU9leQQiJAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; q=dns/txt; s=2019rsa; t=1576885724; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bBND5WK9fA9L/LRxes9PFCOJzXhCWQcveqCF4Kph3CA=; b=hd6+Zq/HP5lQ2HOd8TXds4U26Fc2Pj5JdLCdNCpF4yPjJ2h0UIrLCb3C zpcc7hAQHLvWL27FKFRvKaPi3oKhZi94g75Fb5wuRZeXnC97La9NuhNJQE Ll/w+5iDlluy0qHHyoTvvGb2GmhSrPDmc3yHXDnmA6UJK29BbrM8zMyexz BsUb8bUKoudKXfYnrQRnGh5Gkp2pLyU04PP5vCobRU648U3qpd3CQh4PML o5sArNROITiaY8tGr/bad5vxBAp96opKEci2PSK7c+W/1dG6dTogC/axEK iQA1gqj7DYjkNzswIc+4cSiqaAeET4UpRSMNPcTYg9AVnPqYVuRVRQ==
Received: from (unknown []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPSA id 3463CF9A5; Fri, 20 Dec 2019 18:48:43 -0500 (EST)
Received: by (Postfix, from userid 1000) id 17E99203D6; Fri, 20 Dec 2019 18:48:40 -0500 (EST)
From: Daniel Kahn Gillmor <>
To: Russ Housley <>, LAMPS WG <>
In-Reply-To: <>
References: <> <>
Autocrypt:; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Fri, 20 Dec 2019 18:48:39 -0500
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [lamps] LAMPS sample keys and certificates
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Dec 2019 23:48:47 -0000

Hi LAMPS folks--

On Thu 2019-12-19 18:32:28 -0500, Russ Housley wrote:

> We set a goal at IETF 106 of learning how different user agents handle
> the two approaches to header protection.  I would like to see reports
> on the mail list so that we can choose a way forward.  Please help!

Thanks for the nudge, Russ.  Turns out i've learned a lot more about
S/MIME than i ever wanted to know, in the process of creating S/MIME
test vectors for the Autocrypt-style protected headers.

I've just published

From the in-document changelog:

    Significant changes between version -01 and -02:

      - Added S/MIME test vectors in addition to PGP/MIME

      - Legacy Display parts should now be text/plain and not
        text/rfc822-headers (see

      - Cryptographic Payload must have protected-headers parameter set
        to v1 (see

      - Test vector sample Message-Ids have been normalized

      - Added encrypted-only (unsigned) test vectors, at the suggestion of
        Russ Housley

In addition, the test vectors are programmatically available at:


(use any password, should be a read-only mailbox, with ephemeral IMAP

I'm asking folks who have clients capable of handling cryptographic
e-mail (either S/MIME or PGP/MIME or both, you don't have to handle
everything!) to submit screenshots!

It should be useful to collect screenshots following the guidance
outlined here:

If you'd an example, take a look at the Thunderbird + Enigmail
screenshots here:

I'd appreciate any feedback about this work, particularly on:

 - the screenshot process (can we make it easier for people to generate
   screenshots from a given client)?

 - the test vectors themselves (are problems with any of them? do they
   follow the draft correctly?)

 - the text in the draft (as an implementer, is it easy to understand
   and implement)?