Re(2): The subject line leakage problem

[Jim Craigie <Jim.Craigie@xxxxxxxxxxxxxx>]

> The subject line issue is not a problem in the X.400 world.  SMTP carries 
> the subject line is in the envelope.  The corresponding X.400 protocols 
> (P1, P3, and P7) do not.  In X.400, the subject line is part of the content.
> 
> X.400 does have similar issues with TO, CC, and FROM.  Both SMTP and 
> X.400 would like to integrity protect these.
> 
> Russ

X.400 also carries TO, CC, and FROM in the content.

> I would like to steer this discussion toward a signed attribute (a CHOICE 
> of IA5String and UTF8String (for international characters that are coming 
> soon)).

Since ASCII characters are encoded identically in a UTF8String and an IA5String there is no need to introduce a CHOICE - keep it simple and just define the syntax as UTF8String.

> My initial cut at the header lines that ought to be included are FROM, 

When displaying the originator of a signed message. S/MIME clients should display the Name + RFC822Address from SubjectAltName from the Certificate that signed the message in place of the FROM from the RFC822 Header. They should do the same e.g. when constructing a reply. So I can see little point adding the FROM into this proposed signed attribute. And I think that Paul Hoffman's proposal (reproduced below) is more general, and altogether a better solution.

> Instead, how about encouraging the use of multipart/mixed which 
> starts with text/rfc822-headers. Any headers in that first part are 
> to replace the same headers on display only.

Jim