Re: MIME-encoded PGP / GPG signatures (again)
on Tue, Sep 25, 2001 at 11:41:18PM -0700, Meyer Wolfsheim (wolf@priori.net) wrote:
On Tue, 25 Sep 2001, Karsten M. Self wrote:
<...>
Actually, plug-in support for a range of mailers is available for most mainstream products and platforms, including both MS Outlook and Eudora (two most frequently cited apps).
Incorrect. There is no PGP/MIME support in Outlook, and the Eudora PGP/MIME handling is less than perfect.
My information is different, though I've not used Outlook in some years. I know several people who do, one of whom also uses PGP, RFC 2015 MIME encoded: http://rmarq.pair.com/pgp/mail-clients-pgp.html http://www.spinnaker.de/mutt/rfc2015.html ...including MS Outlook Express (plugin) and MS Outlook (plugin),
- RSA is almost certainly partially to blame for this. The RSA PKI
"PKI Patent?" Do elaborate on this for us.
Public key infrastructure. I was spooning from the top of my head. It's more generally known as the RSA public key encryption patent, released by RSA September 6, 2000: http://www.rsasecurity.com/news/pr/000906-1.html I don't have the patent number handy but could reference it for you if necessary.
patent only expired in September of 2000. If this patent hadn't existed, widespread use and implementation of crypto support in mail tools would be fait acompli, and discussion of legislation such as the Anti-Terrorism Act of 2001 would be largely moot.
Oh really?
Gee, I thought it perhaps had something to do with the draconian export regulations, the ease-of-use problems with crypto, or the fact that most mail users "don't feel the need" for encryption.
There were doubtless other issues. The patent didn't help. <...>
- Your mailer is broken. - This is your problem, not mine. - File a bug report with your vendor.
This will get you killfiled.
I"m willing to risk that. Responses have varied, most people appreciate the information (they simply don't know the inssues). Maybe one in ten responds as you suggest. I try to provide compelling content, where possible.
So, Why Do You Insist On Signing Your Mail Anyway?
How long have you been using PGP/OpenPGP? You are exhibiting the typical zeal of a new user, who has only become partially acquainted with the issues at hand.
About two years. You've got arguments against signing? Again, pointers appreciated.
It's been suggested variously that I sign messages inline, or in some instances, that mailing lists drop all MIME-encoded attachments. I believe this is the wrong solution for two reasons:
- It breaks useful behavior. MIME attachments *can* provide useful information, including support of non-ASCII charactersets, required for basic communications in much of the world[...]
We're on an English-language mailing list.
So you're going to disable all MIME handling in your mailer?
- It's not the root problem. The root problem is mail clients which handle untrusted content in an insecure fashion. This is like dousing 75% of the population with gasoline, then placing match-confiscating personnel at the doors of all public arenas. The problem isn't the matches. It's the gasoline.
That's an absurd analogy.
That's an astounding proof. To expand on the the analogy: widespread deployment of mail clients with unsafe content handling (and yes, I'm specifically pointing to MS Outlook, though there are other guilty parties), combined with an operating environment with few or no effective security measures, low user awareness of security details, and lax administrative practices, creates a volatile, low-entropy, high-potential, readily triggered, exploitable resource. Rather like gasoline. The problem isn't the attachments (matches), it's the gasoline (buggy mailers). I think it's rather apt, myself.
Palliative measures to reduce the apparent risk without addressing the actual cause mask the problem without fixing it. If sufficient people feel the pain, we'll eventually see changes either to client behavior or choice.
I'm halfway through this babbling diatribe, and I'm still not seeing *any* compelling arguments for using PGP/MIME for mailing list mail (which is, if I may remind you, the issue at hand.)
Compelling or otherwise, I'll draw your attention to the paragraphs immediately following "Why Do You Insist On Signing Your Mail Anyway". Summarizing: - Assurance of identity. - Assurance of integrity. - Evangelizing PKI. - Seeking broader compliance with associated RFCs in mail clients and handlers.
- My general suggestion to list maintainers is that policies be set on what MIME encoding is or isn't allowed. Content filtering based on
Actually, I'm on this particular list partially because of the MIME stripping policy. I'm very happy with it, and I suspect many others are. If you aren't happy with it, feel free to run your own node. Choate can give you the details on that.
I'm not set up to run same, but I'm interested in finding one that doesn't demime. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? Home of the brave http://gestalt-system.sourceforge.net/ Land of the free Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org Geek for Hire http://kmself.home.netcom.com/resume.html [demime 0.97c removed an attachment of type application/pgp-signature]
[My apologies to the list for continuing this thread. I should know better.] On Wed, 26 Sep 2001, Karsten M. Self wrote:
Incorrect. There is no PGP/MIME support in Outlook, and the Eudora PGP/MIME handling is less than perfect.
My information is different, though I've not used Outlook in some years.
Your information is wrong.
I know several people who do, one of whom also uses PGP, RFC 2015 MIME encoded:
http://rmarq.pair.com/pgp/mail-clients-pgp.html http://www.spinnaker.de/mutt/rfc2015.html
Did you bother to read either of those websites before citing them? The first one states that PGP/MIME support in Outlook is "Unknown to the author." The second states that it isn't supported, though the author of the page has "heard a rumor" that it is. Do you routinely start debates based on second hand rumors? I'm unclear on what you are trying to demonstrate by referring us to those pages. They contradict your beliefs.
...including MS Outlook Express (plugin) and MS Outlook (plugin),
It is not possible to do PGP/MIME with these apps. Take a look at M$'s mail plugin API, and you will see why.
"PKI Patent?" Do elaborate on this for us.
Public key infrastructure.
Very good. I'm glad you know what the acronym stands for. That doesn't change the fact that RSA doesn't have any "patent on PKI". [Though yes, I'm sure they have a slew of patents on specific features of their PKI apps. If I don't say that, someone's going to nit.]
I was spooning from the top of my head. It's more generally known as the RSA public key encryption patent, released by RSA September 6, 2000:
My apologies. I sometimes forget that people can't hear me snickering when I am sending email. You weren't expected to answer that question.
I don't have the patent number handy but could reference it for you if necessary.
#4,405,829. http://www.inet-one.com/cypherpunks/dir.2000.09.04-2000.09.10/msg00125.html Seasoned members of the cypherpunks list are intimately familiar with RSA's crypto patents.
There were doubtless other issues. The patent didn't help.
No, the patent was completely irrelevant. For non-commercial apps, there was RSAREF. For commercial apps, BSAFE was available with a license. For those who didn't want to deal with the RSA patent, there were other public key algorithms. The Diffie/Hellman/Merkle patents expired years ago. RSA (the company)'s patents may have caused developers to use algorithms like DSS, ElGamal, and Diffie-Hellman rather than RSA (the algorithm), or limited the adoption of Rivest's later algorithms (which were not nearly as ground-breaking), but saying that a patent on one algorithm prevented (or even significantly impacted) the adoption of cryptographic functions in email clients is patently absurd. BTW, S/MIME (with, *gasp*, RSA) has been available in most commercial mail clients for years.
This will get you killfiled.
I"m willing to risk that. Responses have varied, most people appreciate the information (they simply don't know the inssues). Maybe one in ten responds as you suggest. I try to provide compelling content, where possible.
You've got arguments against signing? Again, pointers appreciated.
That isn't what this discussion is about. We've been talking about arguments against signing in a manner incompatible with the tools the majority of your readers are using, not arguments against signing in general. Though there are plenty of those as well. And again, my pointer: http://www.inet-one.com/cypherpunks/ in conjunction with google.
We're on an English-language mailing list.
So you're going to disable all MIME handling in your mailer?
Once again, you're confusing the issue. MIME *handling* isn't what we are discussing. MIME *creation* is. I am going to, and do, avoid sending MIME attachments to public lists.
- It's not the root problem. The root problem is mail clients which handle untrusted content in an insecure fashion. This is like dousing 75% of the population with gasoline, then placing match-confiscating personnel at the doors of all public arenas. The problem isn't the matches. It's the gasoline.
That's an absurd analogy.
That's an astounding proof.
Proof? No proof. All I see is hyperbole. First of all, there is nothing insecure with the way RFC 2440 specifies message creation. The benefits that PGP/MIME offers mainly take effect when MIME is already being used for other reasons -- i.e., signing of messages with attachments, etc. PGP/MIME offers no benefits when it is a plain text ASCII email being signed. People who march around the net using incompatible, irrelevant, or otherwise inconvenient protocols and subject others to the cruft these protocols generate, all in the name of "standards compliance" and "standards evangelization" are in fact hurting the greater cause. Saying "My email client follows the RFCs to the letter, yours is broken, so it's not my problem that you can't read my mail" *harms* attempts to facilitate wide-spread adoption of crypto technologies. Joe User sees this sort of thing happening, and decides to stay far away from PGP because "it breaks email." You're being obstinate and foolish.
I think it's rather apt, myself.
I'm sure you do.
Compelling or otherwise, I'll draw your attention to the paragraphs immediately following "Why Do You Insist On Signing Your Mail Anyway".
Was this in your rant tarball? I didn't download it.
Summarizing:
You seem to think I am telling you not to sign your messages. This isn't the case; I am telling you not to send MIME attachments to public lists. It has nothing to do with crypto.
I'm not set up to run same, but I'm interested in finding one that doesn't demime.
On Wed, Sep 26, 2001 at 01:42:19AM -0700, Karsten M. Self wrote:
I'm not set up to run same, but I'm interested in finding one that doesn't demime.
http://www.lne.com/cpunk has an up-to-date list of the different CDRs and their policies. Eric
participants (3)
-
Eric Murray
-
Karsten M. Self
-
Meyer Wolfsheim