[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mail client implementations problem? bcc and encrypting tomultiple recipients



From: "William H. Geiger III" <whgiii@openpgp.net>
Subject: Re: mail client implementations problem?  bcc and encrypting to multiple recipients
Date: Tue, 22 Aug 2000 13:20:19 -0500
Message-ID: <200008221827.OAA03394@domains.invweb.net>

> In <Pine.LNX.4.21.QNWS_2.0008220041440.2335-100000@thetis.deor.org>, on 08/22/00 
>    at 01:43 AM, "L. Sassaman" <rabbi@quickie.net> said:
> 
> >Why don't we make the "wild card" or "speculative" key id support a
> >SHOULD? I at least want to see all the client's being able to properly
> >decrypt messages that use this feature.
> 
> I don't have a problem with the speculative keyID support 

same here, though i think when this issue was brought up once before
there were some valid concerns brought up.  

imo, one context in which i think speculative key ids support "SHOULD"
exist, is one which is user-driven -- if a user receives a message
that contains public key encrypted session key packets that contain
speculative key ids, the user should be able to have an openpgp
implementation attempt to decrypt the pk esk packets w/ the user's
secret key(s).  the user shouldn't have to perform surgery on the pk
esk's (inserting key ids) and attempting to decrypt repeatedly.

in other contexts (e.g. processing by a script on a mail gateway), i
was given to understand that there were valid reasons (e.g. computing
resource limitations) not to want to support the feature.

the discussion i am referring to took place in january of this year.
it starts at:

  http://www.imc.org/ietf-openpgp/mail-archive/msg02691.html

> but it does not address the underlying problem: Implementors not
> understanding basic concepts of e-mail encryption.

i agree w/ this as well.  

i would like to have a document i could point mail client developers
at that had some kind of "official" status -- like an ID, RFC, or
standard.  i don't think RFC 2440 (or bis) is the place for it (it's
too big already).

> I came across the issue of KeyID leakage back in '96 and documented
> it at:
>
> http://www.openpgp.net/pgpemail_5.html

nice!  perhaps this can be converted into an ID or portions of it
adapted to become an ID?