partial signed message verification in MUAs [was: Re: debian: gpg --verify suggests entire file was verified, even if file contains auxiliary data]

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

[ i've changed the subject because i don't want the enigmail UI/UX
  discussion to distract from the report about "gpg --verify" raised by
  Thomas Beige; i think the "gpg --verify" issue needs to be dealt with
  separately ]

On 04/17/2013 10:44 PM, Kurt Seifried wrote:
> So I think first off we need to figure out what the behaviour should
> be. My thought would be that it should be quit explicit, e.g. "this
> entire message/file/etc. was signed by X" or "a part of this
> file/message/etc. was signed by X" and so on.

I agree that these use cases need to be handled separately, but the
latter use case is quite problematic too -- if there's no way to
indicate *which part* of the message has been signed, the user is
basically left to guess at things.  Not very helpful, and it seems quite
prone to abuse by someone who can figure out which ways people are
likely to guess.

Thunderbird's non-handling of S/MIME-signed subparts is an interesting
point of comparison: it shows that the thunderbird devs decided to not
even try to handle the latter case, despite having well-defined semantic
boundaries to key off of.  I'd be curious to see an evaluation of other
MUAs handling of verification of any cleartext-signature scheme.

(there may also be a problem with indications of decryption, in addition
to clearsig verification, but i think clearsig verification is probably
worth tackling first)

> The next challenge is how to signal it to the end user. One challenge
> with enigmail is it provides some of the signalling "in band" as it
> were (in the email text area) which can be modified by the attacker,
> and some of it "out of band: (at the top of the window area it puts
> the color bar and text to clarify. With GPG command line it can maybe
> say something like "part of this message was signed by X"?

********* *BEGIN ENCRYPTED or SIGNED PART* *********

Enigmail's in-band signalling is trivially-forgeable, unfortunately, as
this paragraph indicates :(

********** *END ENCRYPTED or SIGNED PART* **********

The in-band signalling is also not used for PGP/MIME-signed messages; I
believe it's only intentionally used for those inline-PGP messages which
have text outside of the signature (though enigmail doesn't prevent the
same markers from showing up in other messages, or even elsewhere in the
same message).

Without a clear way to indicate a sub-part in the thunderbird UI that
can't be controlled by the message author, it's not clear to me that
there is a responsible way to report this information :(

> I'm inclined to assign a CVE to this type of vulnerability but I have
> no idea how we fix this _properly_. Anyone have ideas?

notmuch-emacs' PGP/MIME verification approach is worth looking at
(though perhaps not appropriate for the same groups of users as
thunderbird/enigmail): it provides controlled indenting of message parts
and threading, and places visually-distinct (and i think unforgeable)
signature tags at the appropriate indent level to indicate the scope of
the signature.  It does not handle inline-PGP signatures at all, though.
 I present this as one datapoint, not a silver bullet, unfortunately.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature