[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MIME media type literal packet in OpenPGP



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I have two complaints about this proposal:
> 
> 1. There is an already widely used way of encapsulating MIME content
> into PGP messages, PGP/MIME (a.k.a. RFC 3156), and this proposal is not
> compatible with it.
> 
> 2. In this proposal, mime type would not be part of the hashed content
> for digital signatures, meaning that it can be changed without breaking
> the digital signature. This is dangerous. PGP/MIME does not have this
> weakness.

Comments on your comments, Daniel.

I think the word MIME is a misnomer, because it has nothing to do content. It has to do with data typing only. It's a way to say that a PGP blob in (e.g. a web page) is of a certain type. Without it, you have to infer type from the file name, which is suboptimal. All that it does is let you say that a PGP output has a certain media type explicitly.

If you're doing a MIME mail message, then yes, that's a much better way to express things. But if you're doing secured web content, especially dynamic content (think Web 2.0 etc.), then it's much better to put the exact media type in the blob, so it can be handled properly when the higher levels get it.

You're absolutely right that it's unsigned. That's unfortunate. It is also what we have to work with. It is, at least, covered by an MDC packet, which is better than nothing and likely good enough. On the other side of it, you don't have to get into trust issues, either, which is a plus. 

This grew out of some fantastic work that Vinnie did for secure Web 2.0 content using OpenPGP as the encryption framework. It let you do things like Facebook messages and lists that Facebook couldn't read itself.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii

wj8DBQFNflrWsTedWZOD3gYRAlm8AJwPYnQz46Uzg2k/q2Niy1npO0szeACg2yuu
g2+6IsNLh29RgU5kKXcska0=
=QJnd
-----END PGP SIGNATURE-----