RE: Protecting fields via message/rfc822 and merging issues
Omer Hasret <hasret <at> belbone.be>
2002-05-02 08:04:23 GMT
Suggestion for "From:" field below,
From: owner-ietf-smime <at> mail.imc.org
[mailto:owner-ietf-smime <at> mail.imc.org] On Behalf Of Bonatti, Chris
Sent: mercredi 1 mai 2002 20:15
To: Blake Ramsdell
Cc: IETF SMIME WG
Subject: RE: Protecting fields via message/rfc822 and merging issues
See embedded comments below.
> > b) Discarding the outer 822 message and looking only at the inner
> > fields works provided that the inner message is complete. However,
> > it does not work if only a partial list of fields is included in the
> > inner message. Also, since we negate the usefulness of the outer
> > message in all cases, we strongly encourage that it be a blank
> > "dummy" message. This would effectively require the
> > application to do security processing even to display
> > the originator, subject line, etc. -- fields normally
> > shown in a mailbox view. Blake also correctly pointed
> > out that this would squash useful headers like "trace"
> > (i.e., Received:...) and things added by list exploders.
> [bcr] Right, and I think this also includes header security
> policies (not necessarily cryptography, but generic
> rewriting) applied by the organization such as rewritten
> address lines for host name hiding or adding disclosed
> recipients. I think this is where we start running into a
> problem, and where we're in danger of failing.
I don't see this as so big a problem with (c). All you need to do to
make sure that you don't override the outer fields is to ensure that
recipients aren't originating those fields in the inner wrapper. I
could think of a number of ways to implement that. In fact, it sounds
like an excellent market discriminator.
> > d) Include the signal in a CMS attribute - In a signed-only
> > or signed-and-encrypted message, the attribute should
> > probably be in the inner signedAttrs. For encrypted-only
> > messages, it would have to go in the unprotectedAttrs,
> > but this is not optimal since it shares the disadvantages
> > of (a). If this is the way forward, we have to have the
> > subsequent discussion of whether to use an existing or
> > new attribute.
> > Obviously, my belief is that (d) is the only one that
> > works. However, I'm not happy with how it works in the
> > encrypted-only case. I'm also somewhat sensitive to
> > "attribute bloat". I therefore earnestly hope somebody
> > else sees something that I've missed.
> [bcr] I think that the biggest problem I'm having is that
> we're trying to mix authenticated / unauthenticated /
> encrypted / unencrypted headers together and try to do the
> right thing in an automated fashion. As much as as we might
> like to define this, I think the only option might be to take
> the coward's way out and explain that the presentation and
> merging of the headers are the problem of the client, and
> that it's not possible to automatically mix them. The
> realization that I'm coming to is that there is no utility in
> merging the headers, and we shouldn't even attempt it, and we
> should document that the client needs to potentially make
> decisions about how much to trust the internal headers vs.
> the external headers, and it is their responsibility to
> demonstrate the separation.
I take the point I think you're making that there might be numerous
GOOD ways of doing this depending on your assumptions, and that there
might therefore not be a BEST way. If a product is capable of showing
you both and indicating what is authenticated or encrypted and what
isn't, that might be best.
> [bcr] My thinking right now is along the lines of the
> following, and I could very well be missing some important
> 1. Use message/rfc822 with a full set of headers for the
> inner protected content. This is backward compatible, and
> it's entirely possible that existing clients might even
> process this correctly.
> 2. Define placebo values for any outer message required
I didn't figure we needed to do this, but it's more important in the
scenario you suggest. For "Date:" I would suggest 1/1/1970 (zero in
UNIX, I think). I guess I don't have a value to suggest for "From:".
The difficulty is that you need to have a minimally conformant address.
Anybody out there have a suggestion?
--------------------- From: John Doe?
> 3. Explain the client considerations for presentation.
I still think that we can do better than saying nothing here. Perhaps
we can describe a default rule similar to the option (c) I described,
hanging under a SHOULD. That way, if there was a good reason to do
something different it's okay.