Re: New SANS Discount Programs to Educational Centers

[Dave Koontz <dkoontz () MBC EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

S/MIME and PGP/MIME Based Message Signing has always been a "no-no" on
ANY listserv I've ever been on for this very reason.  You will notice
that most users post with an inline PGP/GnuPG signature (like I've
done here) ... IF and when they desire verification.  Even vendors
use
this inline method when posting security patch notices to their own
lists.  Just about every list adds disclaimer text or taglines to
messages posted to them.  Given these common alterations, you may
want to re-think your MIME based message signing to something more
universal and forgiving, such as PGP/GnuPG inline signing.  Thwate
and Verisign MIME signatures are great, but not for signing list
messages.

Just my 1/2 cent worth.... <g>

- -----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of H. Morrow Long
Sent: Monday, December 01, 2003 4:46 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New SANS Discount Programs to Educational
Centers

On Dec 1, 2003, at 10:10 AM, David Escalante wrote:
> Just thought I'd mention that Mozilla 1.5 reports your X.509
signature
> as "broken" for this message.  It notes that the signature does
not
> match the message content correctly, and that the message appears
to
> have been altered since sending.  This is conceivable if some
> majordomo-ish software munged the headers or something, but if
that's
> what happened, then there's no point in signing messages to lists.
> Interesting.  Have you run into this before?
> --
> David Escalante
> Director of Computer Security
> Boston College

David --  The mailing list software which EDUCAUSE is using is
        modifying the message sent to some degree -- and actually
        any small amount of modification at all will throw off the
crypto
        'signing' of the MIME parts. I've checked the 'sent' message
in
        my 'out box' and the signature on it is fine and can be
verified.

        Yes, I've run into List s/w modifying e-mail messages before
        (e.g. by appended lines to the posted messages) then
breaking
        the digital signatures (you can get around this by only
tacking on
        info as part of the RFC822 headers which should be 'outside'
the
        digital signature for the message).

The major change that the list s/w is making inside the MIME message
parts
is inserting a tagline for the Educause discussion groups -- e.g.
the
two lines:

**********\$
Participation and subscription information for this EDUCAUSE
Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

But the list software is also reformatting "whitespace" in the
message
as well (changing leading tabs to spaces and removing trailing
spaces).

Here is a 'diff' between the message I sent and what I received from
the list
( the RFC822 headers have been removed as well as the trailing
S/MIME
sig)
to demonstrate :

[net248-80:/tmp] morrow% diff one two | vis -l
3c3\$
<       boundary=Apple-Mail-1--870838275\$
- ---\$
>         boundary=Apple-Mail-1--870838275\$
9,10c9,10\$
<       charset=US-ASCII;\$
<       format=flowed\$
- ---\$
>         charset=US-ASCII;\$
>         format=flowed\$
12c12\$
< I received the following targeted e-mail from SANS (Note: I have no
\$
- ---\$
> I received the following targeted e-mail from SANS (Note: I have
no\$
14c14\$
< I know that many of us in higher ed participate in SANS training as
\$
- ---\$
> I know that many of us in higher ed participate in SANS training
as\$
17c17\$
< SANS is offering two new discounted packages specifically to .edu
\$
- ---\$
> SANS is offering two new discounted packages specifically to
.edu\$
23c23\$
< 2. General end-user online SANS Security Awareness Training @ $1
per
\$
- ---\$
> 2. General end-user online SANS Security Awareness Training @ $1
per\$
26c26\$
< H. Morrow Long, Director - Information Security Office, ITS, Yale
\$
- ---\$
> H. Morrow Long, Director - Information Security Office, ITS,
Yale\$
83a84,86\$
> **********\$
> Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.\$
> \$
87c90\$
<       charset=US-ASCII\$
- ---\$
>         charset=US-ASCII\$
204c207\$
< Brian Correia \$
- ---\$
> Brian Correia\$
208c211\$
< SANS Institute \$
- ---\$
> SANS Institute\$
210c213\$
< www.sans.org / brian () sans org \$
- ---\$
> www.sans.org / brian () sans org\$
[net248-80:/tmp] morrow%

- - H. Morrow Long
   Director - Information Security
   Yale University, ITS

On Dec 1, 2003, at 10:10 AM, David Escalante wrote:
> Just thought I'd mention that Mozilla 1.5 reports your X.509
signature
> as "broken" for this message.  It notes that the signature does
not
> match the message content correctly, and that the message appears
to
> have been altered since sending.  This is conceivable if some
> majordomo-ish software munged the headers or something, but if
that's
> what happened, then there's no point in signing messages to lists.
> Interesting.  Have you run into this before?
> --
> David Escalante
> Director of Computer Security
> Boston College
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3

iD8DBQE/y8pvAUCyJXrX9WkRAsroAJ4touu6L7//p9fKBr+2cQ42onNrdQCgt7Ve
pw0QpgCc9c1tsrO+gNpXCpQ=
=vnSq
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.