Fwd: Memory Hole discussion / OpenPGP e-mail header protection
Patrick Brunschwig
patrick at enigmail.net
Tue Jul 7 03:32:37 CEST 2015
For some unknown reason, Stefan cannot post to the mailing list; I'm
forwarding the mail below on his behalf.
-Patrick
-------- Forwarded Message --------
Subject: Memory Hole discussion / OpenPGP e-mail header protection
Date: Mon, 06 Jul 2015 09:52:21 +0200
From: Stefan Selbitschka <selbitschka at rundquadrat.at>
To: GnuPG Development List <gnupg-devel at gnupg.org>
CC: Patrick Brunschwig <patrick at enigmail.net>, Bjarni Runar Einarsson
<bre at pagekite.net>, alexander.strobel at giepa.de
Hi,
I nearly finished my implementation in R2Mail2 and some questions
arose, I'd like to discuss with you, since I think if we all implement
this without a standard we should to the same ;).
Which headers are protected?
I split my implementation in three kind of headers "headers to secure",
"headers to remove" and "headers to replace". While the first headers
are put into the rfc822-headers part(s) the second group are removed
from message headers and the last group of headers is set to a default
value like "subject => "encrypted message".
In the singed only case removing headers make no sense but in the
encrypted case this could increase security against meta data analysis.
At the moment I have following headers in the separate arrays:
HEADERS_TO_SECURE = { "from", "to", "cc", "subject", "message-id",
"references", "x-mailer", "in-reply-to", "reply-to" }
HEADERS_TO_REMOVE = { "references", "x-mailer", in-reply-to", "reply-to" }
HEADERS_TO_REPLACE = { "subject" => "Encrypted Message" }
As long as I could see Enigmail didn't remove any headers at the moment.
Question are:
Should we remove headers?
Which headers are protected and removed or replaces by dummy values?
Should one or both be a user choice or do we deicide?
What is the terminology and UI representation for the user?
How should we call the settings where we enable/disable the header
protection? "Protect Headers" => Yes/No.
For the UI representation of protected headers I would make a green
background for header fields that are protected and not manipulated, a
red background if they are manipulated and standard transparent if a
headers is not protected.
Do we implement this for PGP/MIME and Inline?
My assumption in April was that we implement this only for PGP/MIME but
since some of us like gpg4o can only to inline-pgp, I think we should do
both. Is there a agreed MIME structure for the inline case or do we just
use the same?
regards
- Stefan
More information about the Gnupg-devel
mailing list