Fwd: Memory Hole discussion / OpenPGP e-mail header protection

Patrick Brunschwig patrick at enigmail.net
Tue Jul 7 03:32:37 CEST 2015

For some unknown reason, Stefan cannot post to the mailing list; I'm
forwarding the mail below on his behalf.


-------- Forwarded Message --------
Subject: Memory Hole discussion / OpenPGP e-mail header protection
Date: Mon, 06 Jul 2015 09:52:21 +0200
From: Stefan Selbitschka <selbitschka at rundquadrat.at>
To: GnuPG Development List <gnupg-devel at gnupg.org>
CC: Patrick Brunschwig <patrick at enigmail.net>, Bjarni Runar Einarsson
<bre at pagekite.net>, alexander.strobel at giepa.de


I nearly finished my implementation in R2Mail2 and some questions
arose, I'd like to discuss with you, since I think if we all implement
this without a standard we should to the same ;).

Which headers are protected?

I split my implementation in three kind of headers "headers to secure",
 "headers to remove" and "headers to replace". While the first headers
are put into the rfc822-headers part(s) the second group are removed
from message headers and the last group of headers is set to a default
value like "subject => "encrypted message".

In the singed only case removing headers make no sense but in the
encrypted case this could increase security against meta data analysis.

At the moment I have following headers in the separate arrays:
HEADERS_TO_SECURE = { "from", "to", "cc", "subject", "message-id",
"references", "x-mailer", "in-reply-to", "reply-to" }
HEADERS_TO_REMOVE = { "references", "x-mailer", in-reply-to", "reply-to" }
HEADERS_TO_REPLACE = { "subject" => "Encrypted Message" }

As long as I could see Enigmail didn't remove any headers at the moment.

Question are:
Should we remove headers?
Which headers are protected and removed or replaces by dummy values?
Should one or both be a user choice or do we deicide?

What is the terminology and UI representation for the user?

How should we call the settings where we enable/disable the header
protection? "Protect Headers" => Yes/No.

For the UI representation of protected headers I would make a green
background for header fields that are protected and not manipulated, a
red background if they are manipulated and standard transparent if a
headers is not protected.

Do we implement this for PGP/MIME and Inline?

My assumption in April was that we implement this only for PGP/MIME but
since some of us like gpg4o can only to inline-pgp, I think we should do
both. Is there a agreed MIME structure for the inline case or do we just
use the same?

- Stefan

More information about the Gnupg-devel mailing list