Re: the 8-bit dilemma

Housley, Russ (housley@spyrus.com)
Wed, 28 Feb 96 20:20:38

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Housley, Russ: "(no subject)"
Previous message: Brad Knowles: "Re: the 8-bit dilemma"
Maybe in reply to: Michael Elkins: "the 8-bit dilemma"

Where is the certificate  associated with the signature carried?  I would 
like the originator to be able to include her certificate in the signed 
multipart.

Russ


______________________________ Reply Separator _________________________________
Subject: Re: the 8-bit dilemma
Author:  elkins@aero.org (Michael Elkins) at internet
Date:    2/27/96 3:28 PM


On Feb 27, Jueneman@gte.com wrote:
> I would argue the contrary position. It seems to me that with thevast 
> popularity of web server, e-mail is going to become a means of notifying 
> someone of a document they may want to be aware of, together with a secure 
> embedded  URL to a remote attachment they can fetch at their leisure.
>
>[...]
> 
> In this scenario, the object-based security model is vitally important. 
> Regardless of where the document or files happen to reside, I still want them 
> encrypted and protected against modification.

I'm not arguing that object based security isn't important.  But I think that 
the disagreements we are seeing is because there are really two different 
services that need to be provided:
 - secure transport of e-mail (or http)
 - a system for conveying (securely) signature for external bodies

These should be two separate issues and have different services.  For example, 
you might have something like the following:

 Content-Type: multipart/signed; protocol="application/pgp-signature";
  micalg=pgp-md5; boundary=SignedBoundary

 --SignedBoundary
 Content-Type: multipart/mixed; boundary=MixedBoundary

 --MixedBoundary

 Here is a pointer to the latest release of the PGP/MIME reference 
 kit.

 --MixedBoundary
 Content-Type: message/external-body; access-type=anon-ftp;
  name="/pub/me/pgpmime-02.tar.gz"; site="cs.hmc.edu"

 Content-Type: application/octet-stream 
 Content-Transfer-Encoding: binary
 Content-MD5: <md5 hash data>

 --MixedBoundary--
 --SignedBoundary
 Content-Type: application/pgp-signature

 <signature data>

 --SignedBoundary--

Notice that there are two things going on here.  The message/external-body 
contains the MD5 sum of the remote file "ftp://cs.hmc.edu/pgpmime-02.tar.gz" 
which is signature of the _raw_ data.  This is the "object-based" security. 
On the outer layer (the multipart/signed) is the "transport-based" security, 
which is used to securly convey the entire message to it's destination.

me
--
Michael Elkins <elkins@aero.org>    http://www.cs.hmc.edu/~me/index.html
 PGP mail preferred.  Key availible via web or 'finger -l me@cs.hmc.edu'
   Key fingerprint = EB B1 68 32 3F B5 54 F9  6C AF 4E 94 5A EB 90 EC
     "I could be wasting my time more productively than this." --me

Next message: Housley, Russ: "(no subject)"
Previous message: Brad Knowles: "Re: the 8-bit dilemma"
Maybe in reply to: Michael Elkins: "the 8-bit dilemma"