Re: the 8-bit dilemma

Michael Elkins (elkins@aero.org)
Tue, 27 Feb 1996 14:21:26 -0800

On Feb 27, Jueneman@gte.com wrote:
> I would argue the contrary position. It seems to me that with thevast 
> popularity of web server, e-mail is going to become a means of notifying 
> someone of a document they may want to be aware of, together with a secure 
> embedded  URL to a remote attachment they can fetch at their leisure.
>
>[...]
> 
> In this scenario, the object-based security model is vitally important. 
> Regardless of where the document or files happen to reside, I still want them 
> encrypted and protected against modification.

I'm not arguing that object based security isn't important.  But I think that
the disagreements we are seeing is because there are really two different
services that need to be provided:
	- secure transport of e-mail (or http)
	- a system for conveying (securely) signature for external bodies

These should be two separate issues and have different services.  For example,
you might have something like the following:

	Content-Type: multipart/signed; protocol="application/pgp-signature";
		micalg=pgp-md5; boundary=SignedBoundary

	--SignedBoundary
	Content-Type: multipart/mixed; boundary=MixedBoundary

	--MixedBoundary
	
	Here is a pointer to the latest release of the PGP/MIME reference
	kit.

	--MixedBoundary
	Content-Type: message/external-body; access-type=anon-ftp;
		name="/pub/me/pgpmime-02.tar.gz"; site="cs.hmc.edu"

	Content-Type: application/octet-stream
	Content-Transfer-Encoding: binary
	Content-MD5: <md5 hash data>

	--MixedBoundary--
	--SignedBoundary
	Content-Type: application/pgp-signature

	<signature data>

	--SignedBoundary--

Notice that there are two things going on here.  The message/external-body
contains the MD5 sum of the remote file "ftp://cs.hmc.edu/pgpmime-02.tar.gz"
which is signature of the _raw_ data.  This is the "object-based" security.
On the outer layer (the multipart/signed) is the "transport-based" security,
which is used to securly convey the entire message to it's destination.

me
--
Michael Elkins <elkins@aero.org>    http://www.cs.hmc.edu/~me/index.html
 PGP mail preferred.  Key availible via web or 'finger -l me@cs.hmc.edu'
   Key fingerprint = EB B1 68 32 3F B5 54 F9  6C AF 4E 94 5A EB 90 EC
     "I could be wasting my time more productively than this." --me