[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    AW: S/MIME and PGP
From:       Jorg Beermann <beermann () secude ! com>
Date:       2001-09-05 7:59:56
[Download RAW message or body]

Hi,
with a little delay... ;) sorry for that, but there was a lot of work 
the last weeks.

By the way a smal hint, OpenSSL (the core for the PKIX crypto stuff) is 
not yet able to handle S/MIME v3, cause the CMS for v3 is a bit more complex

than for v2 and there may occur parsing errors while parsing the ASN.1
structure 
for the S/MIME v3 CMS. So I think it might be better to agree on v2 if we 
talk about S/MIME.
(neverthless this is no problem at all, cause the most people who use S/MIME
use 
v2. So there will be nearly no interoperability Problem arise)

In S/MIME there a two diffent ways to sign a message, 
1)multipart/signed
2)application/pkcs7-mime

1) is like the same as in pgp, cleartext message in the 
first bodypart  and signature in the second bodypart

2) looks more like encrypted, the hole message is embeded in the 
application/pkcs7-mime bodypart and these one is a PKCS#7 type.
So without a mailclient who is able to handle S/MIME you can?t 
read the mail.

The recomended type to use (by the rfc) is 1), but for 
interoperability reasons it might be usefull to support 2) as well.
So we may need another KMime::Content type apart from 
KMime::Content::{Encrypted,Signed} to handle the signed S/MIME 2).
If it should be supported ;)

But up two this i agree with your a) b).
Unless with the pgp mime it is also possible to wrap 
a signed message in a encrypted (or vice versa) or to wrap 
a signed message in another signed message 
(this is what happend when you generate a countersignature)
and so on..
I have to admit that i am to lazy to find and read the belonging 
spots in the pgp rfc?s :) its easier to ask one who already knows this...


Jorg













-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

Thanks for your detailed run-down.

On Wednesday 22 August 2001 10:03, Jorg Beermann wrote:
> Hi,
> to get it a little more clear:
> S/MIME v3 has widely the same structure as S/MIME v2 (both of these
> are based  on
> MIME rfc1521, rfc 1522)
> the main differnence is that for v2 the CMS (Cryptograhic Message
> Syntax) is the well known PKCS#7(rfc2315) ;) and for v3 the CMS is
> not called PKCS#...
> but just CMS (rfc2630).
> And there are some more features as in the v2 CMS.
>

This is stuff that George and the others have to bother with, not the 
KMime guys :-)

> The main differnence between the PGP securd MIME (rfc2015, rfc3156)
> is that S/MIME uses the CMS mentioned above. And this is a big
> differnence ;) cause S/MIME takes use of the x.509 Public Key
> Infrastructure (rfc2459) PKIX, by the way wich is used by SSL/TSL as
> well,
> and these hierarchical structure is real differnet from PGP and the
> web of trust.

Note that neither 2015 nor it's designated successor say anything about 
PGP's message format. That's the job of 1991 and 2440{,bis}. There 
seems to be much confusion about these two totally different issues in 
this discussion. What 2015 tells us is how to handle and encapsulate 
the PGP message and keyblock formats into the MIME structure of a 
message. It uses 1847 (security multiparts for MIME) as the framework, 
which states in the introduction:

   This document defines a framework whereby security protection
   provided by other protocols may be used with MIME in a complementary
   fashion.  By itself, it does not specify security protection.  A MIME
   agent must include support for both the framework defined here and a
   mechanism to interact with a security protocol defined in a separate
   document.  The resulting combined service provides security for
   single-part and multi-part textual and non-textual messages.

a. The framework is hosted by KMime, and consists of body part classes 
for multipart/encrypted and multipart/signed. There will be a generic 
interface to "other protocols", which will be used by KGpgMe and KSSL.

b. The "mechanism to interact" is defined in RFC2015 for PGPv2, RFC3156 
for OpenPGP, RFC2311 for S/MIMEv2 and RFC2633 for S/MIMEv3.


c. The "other protocols" are defined in RFC1991 for PGPv2, RFC2440 for 
OpenPGP, RFC231x for S/MIMEv2 and RFC263x for S/MIMEv3.

Am I correct here?

I and the other KMime guys are interested in (a) and (b), while the 
KGpgMe and KSSL guys are (or should be) interested in (b) and (c), each 
for their set of RFC's.

So we need to define an interface between 
KMime::Content::{Encrypted,Signed} on one side and KGpgMe and KSSL on 
the other. let's keep an eye on that, but I'm currently working on the 
header classes for KMime and the body parts are not yet done. let's get 
back to this issue then.

It's fine for me to know that both standards use rfc1847 as a basis.

Now, if someone could tell me what the "Geek code block" at the end of 
some messages is ... :-)

<snip>
> Im not an PGP or an PGP secured MIME expert, so please let me know if
> I?m wrong,
> but furthermore in S/MIME you can sign and/or encrypt every kind of
> MIME Contenttyp,
> just one Bodypart or the hole message with 5 Bodyparts,

That's exactly what RFC1847 provides for. So it's possible with OpenPGP 
as well.

> you can produce countersignatures or groupsignatures you can produce
> a Request for a certificate and so on...

I don't know what countersignatures and groupsignatures are, but you 
can of course request a PGP certificate (=="public key") from the PGP 
keyserver net (e.g. wwwkeys.us.pgp.net).

> And I think this is not possible with PGP, or is it?
<snip>

Marc

- -- 
That a system for intercepting communications exists, operating by
means of cooperation proportionate to their capabilities among the
USA, the UK, Canada, Australia and New Zealand, is no longer in
doubt. [...] What is important is that its purpose is to intercept
private and commercial communications, and not military
communications.
- -- EuroParl. Temp. Committee on the ECHELON Interception System
   http://www.europarl.eu.int/tempcom/echelon/pdf/prechelon_en.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7g/JQ3oWD+L2/6DgRArYCAKDSYkCsleu4xLI8FRV/FzpKx+RS7QCggEiu
63mRl8a5y7aoaGt4RZPp9Y8=
=vOFT
-----END PGP SIGNATURE-----
_______________________________________________
Kmail Developers mailing list
Kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail

[prev in list] [next in list] [prev in thread] [next in thread]