Backchannels via OCSP and CRL in S/MIME (Was: efail is imho only a html rendering bug)

Sebastian Schinzel schinzel at
Thu Jun 7 17:36:53 CEST 2018

Am 06.06.2018 um 20:19 schrieb Werner Koch:
> Thanks for responding.  However, my question was related to the claims
> in the paper about using CRL and OCSP as back channels.  This created the
> impression that, for example, the certificates included in an encrypted
> CMS object could be modified in a way that, say, the DP could be change
> in the same was a a HTML img tag or to confuse the MIME parser.

Table 5 shows that CRL and OCSP work as a backchannel in some clients,
see I_1, I_2, I_3 in the PKI column. It is unclear if they can be used
to exfiltrate plaintext in reality because changing them should break
the signature. The caIssuer field (intermediate certificates) seems more
appropriate for plaintext exfiltration. See the discussion in section
6.2. Note that we didn't analyze X.509v3 extensions for further

Again, whether CRL/OCSP/caIssuer can or cannot be used for plaintext
exfiltration doesn't affect the overall security of S/MIME much. The
central flaw remains malleable encryption.


More information about the Gnupg-users mailing list