Bugtraq mailing list archives
Re: crypto flaw in secure mail standards
From: Robert Bihlmeyer <robbe () orcus priv at>
Date: 29 Jun 2001 14:30:06 +0200
Richard Atterer <atterer () informatik tu-muenchen de> writes:
PGP and MUAs with PGP support should either make it very clear that the subject is not encrypted, or (ideally) a facility for encrypted message headers should be added to OpenPGP.
OpenPGP does not concern itself with these things. The relevant standards integrating it with MIME (rfc2015 et al) however do, and since the signed/encrypted part is just another MIME part, you can put arbitrary headers there. Nowadays these part usually only has a Content-Type header, but this is not AFAIK in any way required. However MUAs must support that first, i.e. allow you to define private headers in addition to the public ones, and be able to replace message headers with those coming from inside a crypto envelope. Example (The part prefixed with "& " is in reality encrypted): From: nobody () anonymous remailer example org To: John Doe <doe () example net> Subject: <undisclosed> [...more standard e-mail headers...] Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; boundary=foo --foo Content-Type: application/pgp-encrypted Version: 1 --foo Content-Type: application/octet-stream -----BEGIN PGP MESSAGE----- & From: Fred Smith <whistleblower () example com> & Subject: the sylvester memo & Content-Type: multipart/mixed; boundary=bar & & --bar & Content-Type: text/plain; charset=us-ascii & & Attached is a scan of the internal memo that proves the facts I & talked to you about. & & --bar & Content-Type: image/jpeg & Content-Transfer-Encoding: base64 & & [...] & & --bar-- -----END PGP MESSAGE----- --foo-- -- Robbe
Attachment:
signature.ng
Description:
Current thread:
- crypto flaw in secure mail standards Don Davis (Jun 22)
- Re: crypto flaw in secure mail standards Gregory Steuck (Jun 22)
- Re: crypto flaw in secure mail standards David Howe (Jun 22)
- Re: crypto flaw in secure mail standards Florian Weimer (Jun 24)
- <Possible follow-ups>
- crypto flaw in secure mail standards Don Davis (Jun 24)
- Re: crypto flaw in secure mail standards David Howe (Jun 24)
- Re: crypto flaw in secure mail standards Jim Halfpenny (Jun 25)
- Re: crypto flaw in secure mail standards Riad S. Wahby (Jun 24)
- Re: crypto flaw in secure mail standards Tollef Fog Heen (Jun 27)
- Re: crypto flaw in secure mail standards Richard Atterer (Jun 28)
- Re: crypto flaw in secure mail standards Robert Bihlmeyer (Jun 29)